diff options
author | Sverker Eriksson <[email protected]> | 2019-03-21 20:29:34 +0100 |
---|---|---|
committer | Sverker Eriksson <[email protected]> | 2019-03-22 19:40:36 +0100 |
commit | 3b61e5f55b13b7a16eadcc87582790ff6048b5af (patch) | |
tree | 2057865a68ed6f1996a5d34b3c16ff07ff414f35 /erts | |
parent | 452b5ff296efffaf24cce51993e0b00e2cb48885 (diff) | |
download | otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.tar.gz otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.tar.bz2 otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.zip |
erts: Reject decoded local refs with too large first word
Diffstat (limited to 'erts')
-rw-r--r-- | erts/emulator/beam/external.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/erts/emulator/beam/external.c b/erts/emulator/beam/external.c index 265292f519..471c1c3938 100644 --- a/erts/emulator/beam/external.c +++ b/erts/emulator/beam/external.c @@ -3579,7 +3579,7 @@ dec_term_atom_common: cre = get_int32(ep); ep += 4; - r0 = get_int32(ep); /* allow full word */ + r0 = get_int32(ep); ep += 4; ref_ext_common: { @@ -3590,6 +3590,13 @@ dec_term_atom_common: node = dec_get_node(sysname, cre, make_boxed(hp)); if(node == erts_this_node) { + if (r0 >= MAX_REFERENCE) { + /* + * Must reject local refs with more than 18 bits + * in first word as magic ref table relies on it. + */ + goto error; + } rtp = (ErtsORefThing *) hp; ref_num = &rtp->num[0]; |