From 3b61e5f55b13b7a16eadcc87582790ff6048b5af Mon Sep 17 00:00:00 2001
From: Sverker Eriksson <sverker@erlang.org>
Date: Thu, 21 Mar 2019 20:29:34 +0100
Subject: erts: Reject decoded local refs with too large first word

---
 erts/emulator/beam/external.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/erts/emulator/beam/external.c b/erts/emulator/beam/external.c
index 265292f519..471c1c3938 100644
--- a/erts/emulator/beam/external.c
+++ b/erts/emulator/beam/external.c
@@ -3579,7 +3579,7 @@ dec_term_atom_common:
 
 		cre = get_int32(ep);
 		ep += 4;
-		r0 = get_int32(ep); /* allow full word */
+		r0 = get_int32(ep);
 		ep += 4;
 
 	    ref_ext_common: {
@@ -3590,6 +3590,13 @@ dec_term_atom_common:
 
 		node = dec_get_node(sysname, cre, make_boxed(hp));
 		if(node == erts_this_node) {
+                    if (r0 >= MAX_REFERENCE) {
+                          /*
+                           * Must reject local refs with more than 18 bits
+                           * in first word as magic ref table relies on it.
+                           */
+                        goto error;
+                    }
 	
 		    rtp = (ErtsORefThing *) hp;
 		    ref_num = &rtp->num[0];
-- 
cgit v1.2.3