From 1e6ab2fdac21c7847b7fda32fed1ea35883a535e Mon Sep 17 00:00:00 2001 From: Tomas Abrahamsson Date: Thu, 13 Dec 2018 22:36:03 +0100 Subject: erts: Fix possible heap corruption getting atomics Due to comparison as a signed integer, when getting an unsigned atomic in the range 2^63-1..2^64-1 (when the most significant bit was set), the heap could get corrupted when the integer was retrieved: hsz would get set to zero, but the code proceeded to build a bignum. Steps to reproduce (at least on x86_64): $ erl 1> A = atomics:new(1,[{signed,false}]). 2> atomics:put(A,1,18446744073709551615). 3> atomics:get(A,1). At the last step, the shell would print some garbage and hang. --- erts/emulator/beam/erl_bif_atomics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'erts/emulator/beam') diff --git a/erts/emulator/beam/erl_bif_atomics.c b/erts/emulator/beam/erl_bif_atomics.c index 092dbb3bd3..029831bd95 100644 --- a/erts/emulator/beam/erl_bif_atomics.c +++ b/erts/emulator/beam/erl_bif_atomics.c @@ -133,7 +133,7 @@ static ERTS_INLINE Eterm bld_atomic(Process* proc, AtomicsRef* p, if ((Uint64)val <= MAX_SMALL) return make_small((Sint) val); else { - Uint hsz = ERTS_UINT64_HEAP_SIZE(val); + Uint hsz = ERTS_UINT64_HEAP_SIZE((Uint64)val); Eterm* hp = HAlloc(proc, hsz); return erts_uint64_to_big(val, &hp); } -- cgit v1.2.3