From d94a8ef6dc136dd2eedf3c3ad4bc053ca8fdd1b0 Mon Sep 17 00:00:00 2001 From: Kostis Sagonas Date: Mon, 12 Oct 2015 07:53:20 +0200 Subject: Fix edge case of Size = 0 in bs_put_integer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit copy_offset_int_big was assuming (Offset + Size - 1) (Tmp9 in the first BB) would not underflow. It was also unconditionally reading and writing the binary even when Size was zero, unlike copy_int_little, which is the only other case of bs_put_integer that does not have a short-circuit on Size = 0. This was causing segfaults when constructing binaries starting with a zero-length integer field, because a logical right shift was used to compute an offset in bytes (which became 0x1fffffffffffffff) to read in the binary. Tests, taken from the emulator bs_construct_SUITE, were also added. The complete credit for the report and the fix goes to Magnus Lång. --- lib/hipe/test/bs_SUITE_data/bs_construct.erl | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'lib/hipe/test/bs_SUITE_data') diff --git a/lib/hipe/test/bs_SUITE_data/bs_construct.erl b/lib/hipe/test/bs_SUITE_data/bs_construct.erl index 9cc9ac848c..37a54c1981 100644 --- a/lib/hipe/test/bs_SUITE_data/bs_construct.erl +++ b/lib/hipe/test/bs_SUITE_data/bs_construct.erl @@ -13,6 +13,7 @@ test() -> ok = bs5(), 16#10000008 = bit_size(large_bin(1, 2, 3, 4)), ok = bad_ones(), + ok = zero_width(), ok. %%-------------------------------------------------------------------- @@ -126,3 +127,18 @@ bad_ones() -> Bin123 = <<1,2,3>>, ?FAIL(<>), ok. + +%%-------------------------------------------------------------------- +%% Taken from the emulator bs_construct_SUITE - seg faulted till 18.1 + +zero_width() -> + Z = id(0), + Small = id(42), + Big = id(1 bsl 128), % puts stuff on the heap + <<>> = <>, + <<>> = <>, + <<>> = <>, + <<>> = <>, + ok. + +id(X) -> X. -- cgit v1.2.3