Merge branch 'maint-20' into maint

* maint-20: Updated OTP version Prepare release Accept non-binary options as socket-options Bump version Fix broken handling of default values in extensions for PER compiler: Fix live regs update on allocate in validator Take fail labels into account when determining liveness in block ops Check for overflow when appending binaries, and error out with system_limit
author: Raimo Niskanen <[email protected]> 2017-08-24 09:37:16 +0200
committer: Raimo Niskanen <[email protected]> 2017-08-24 09:37:16 +0200
commit: 710f9437498a8a9df62a6c7cecd6eb632561754b (patch)
tree: 00d7dc89d265b8e4607b22f78445dee811834876 /erts
parent: d50bc5031eb0889c894bf20f5206cfc06162f30a (diff)
parent: 41878bba817fc2ec9e08529afe19c2655742dbd1 (diff)
download: otp-710f9437498a8a9df62a6c7cecd6eb632561754b.tar.gz
otp-710f9437498a8a9df62a6c7cecd6eb632561754b.tar.bz2
otp-710f9437498a8a9df62a6c7cecd6eb632561754b.zip
4 files changed, 64 insertions, 9 deletions
diff --git a/erts/doc/src/notes.xml b/erts/doc/src/notes.xml
index ff7d593edb..3d7858a034 100644
--- a/erts/doc/src/notes.xml
+++ b/erts/doc/src/notes.xml
@@ -31,6 +31,22 @@
   </header>
   <p>This document describes the changes made to the ERTS application.</p>
 
+<section><title>Erts 9.0.3</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+	    <p>Binary append operations did not check for overflow,
+	    resulting in nonsensical results when huge binaries were
+	    appended.</p>
+          <p>
+	    Own Id: OTP-14524</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>Erts 9.0.2</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/erts/emulator/beam/erl_bits.c b/erts/emulator/beam/erl_bits.c
index 71c64997c1..b4e611f01b 100644
--- a/erts/emulator/beam/erl_bits.c
+++ b/erts/emulator/beam/erl_bits.c
@@ -1321,7 +1321,14 @@ erts_bs_append(Process* c_p, Eterm* reg, Uint live, Eterm build_size_term,
 	    goto badarg;
 	}
     }
+
+    if((ERTS_UINT_MAX - build_size_in_bits) < erts_bin_offset) {
+        c_p->freason = SYSTEM_LIMIT;
+        return THE_NON_VALUE;
+    }
+
     used_size_in_bits = erts_bin_offset + build_size_in_bits;
+
     sb->is_writable = 0;	/* Make sure that no one else can write. */
     pb->size = NBYTES(used_size_in_bits);
     pb->flags |= PB_ACTIVE_WRITER;
@@ -1395,9 +1402,21 @@ erts_bs_append(Process* c_p, Eterm* reg, Uint live, Eterm build_size_term,
 		goto badarg;
 	    }
 	}
-	used_size_in_bits = erts_bin_offset + build_size_in_bits;
-	used_size_in_bytes = NBYTES(used_size_in_bits);
-	bin_size = 2*used_size_in_bytes;
+
+        if((ERTS_UINT_MAX - build_size_in_bits) < erts_bin_offset) {
+            c_p->freason = SYSTEM_LIMIT;
+            return THE_NON_VALUE;
+        }
+
+        used_size_in_bits = erts_bin_offset + build_size_in_bits;
+        used_size_in_bytes = NBYTES(used_size_in_bits);
+
+        if(used_size_in_bits < (ERTS_UINT_MAX / 2)) {
+            bin_size = 2 * used_size_in_bytes;
+        } else {
+            bin_size = NBYTES(ERTS_UINT_MAX);
+        }
+
 	bin_size = (bin_size < 256) ? 256 : bin_size;
 
 	/*
@@ -1487,6 +1506,12 @@ erts_bs_private_append(Process* p, Eterm bin, Eterm build_size_term, Uint unit)
      * Calculate new size in bytes.
      */
     erts_bin_offset = 8*sb->size + sb->bitsize;
+
+    if((ERTS_UINT_MAX - build_size_in_bits) < erts_bin_offset) {
+        p->freason = SYSTEM_LIMIT;
+        return THE_NON_VALUE;
+    }
+
     pos_in_bits_after_build = erts_bin_offset + build_size_in_bits;
     pb->size = (pos_in_bits_after_build+7) >> 3;
     pb->flags |= PB_ACTIVE_WRITER;
diff --git a/erts/emulator/test/bs_construct_SUITE.erl b/erts/emulator/test/bs_construct_SUITE.erl
index b79f4b995d..ce50bcdd86 100644
--- a/erts/emulator/test/bs_construct_SUITE.erl
+++ b/erts/emulator/test/bs_construct_SUITE.erl
@@ -905,14 +905,28 @@ bs_add_overflow(_Config) ->
         _ when Memsize < (2 bsl 30) ->
 	    {skip, "Less then 2 GB of memory"};
 	4 ->
-	    Large = <<0:((1 bsl 30)-1)>>,
-	    {'EXIT',{system_limit,_}} =
-		(catch <<Large/bits, Large/bits, Large/bits, Large/bits,
-                         Large/bits, Large/bits, Large/bits, Large/bits,
-                         Large/bits>>),
+            {'EXIT', {system_limit, _}} = (catch bs_add_overflow_signed()),
+            {'EXIT', {system_limit, _}} = (catch bs_add_overflow_unsigned()),
 	    ok
     end.
 
+bs_add_overflow_signed() ->
+    %% Produce a large result of bs_add that, if cast to signed int, would
+    %% overflow into a negative number that fits a smallnum.
+    Large = <<0:((1 bsl 30)-1)>>,
+    <<Large/bits, Large/bits, Large/bits, Large/bits,
+      Large/bits, Large/bits, Large/bits, Large/bits,
+      Large/bits>>.
+
+bs_add_overflow_unsigned() ->
+    %% Produce a large result of bs_add that goes beyond the limit of an
+    %% unsigned word. This used to succeed but produced an incorrect result
+    %% where B =:= C!
+    A = <<0:((1 bsl 32)-8)>>,
+    B = <<2, 3>>,
+    C = <<A/binary,1,B/binary>>,
+    true = byte_size(B) < byte_size(C).
+
 id(I) -> I.
 
 memsize() ->
diff --git a/erts/vsn.mk b/erts/vsn.mk
index 59699c6505..f90870b7c8 100644
--- a/erts/vsn.mk
+++ b/erts/vsn.mk
@@ -18,7 +18,7 @@
 # %CopyrightEnd%
 # 
 
-VSN = 9.0.2
+VSN = 9.0.3
 
 # Port number 4365 in 4.2
 # Port number 4366 in 4.3
author	Raimo Niskanen <[email protected]>	2017-08-24 09:37:16 +0200
committer	Raimo Niskanen <[email protected]>	2017-08-24 09:37:16 +0200
commit	710f9437498a8a9df62a6c7cecd6eb632561754b (patch)
tree	00d7dc89d265b8e4607b22f78445dee811834876 /erts
parent	d50bc5031eb0889c894bf20f5206cfc06162f30a (diff)
parent	41878bba817fc2ec9e08529afe19c2655742dbd1 (diff)
download	otp-710f9437498a8a9df62a6c7cecd6eb632561754b.tar.gz otp-710f9437498a8a9df62a6c7cecd6eb632561754b.tar.bz2 otp-710f9437498a8a9df62a6c7cecd6eb632561754b.zip