Merge pull request #328 from Shopify/fix-double-free-issues

byroot · web-flow · commit ef2f24b66070 · 2023-03-27T16:45:21.000+02:00
_msgpack_rmem_alloc2: reset `head.pages` pointer before allocating them.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,4 @@
+* Fix a possible double-free issue when GC triggers inside `_msgpack_rmem_alloc2`.
 * `Unpacker#feed` now always directly read in provided strings instead of copying content in its buffer.
 * `Unpacker#feed` is now an alias of `Unpacker#feed_reference`.
 * Implement `Factory::Pool#unpacker` and `Factory::Pool#packer` to allow for more precise serialization.
diff --git a/ext/msgpack/rmem.c b/ext/msgpack/rmem.c
@@ -68,6 +68,7 @@ void* _msgpack_rmem_alloc2(msgpack_rmem_t* pm)
     /* move head to array */
     *c = pm->head;
 
+    pm->head.pages = NULL; /* make sure we don't point to another chunk's pages in case xmalloc triggers GC */
     pm->head.mask = 0xffffffff & (~1);  /* "& (~1)" means first chunk is already allocated */
     pm->head.pages = xmalloc(MSGPACK_RMEM_PAGE_SIZE * 32);
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	+* Fix a possible double-free issue when GC triggers inside `_msgpack_rmem_alloc2`.
`1`	`2`	* `Unpacker#feed` now always directly read in provided strings instead of copying content in its buffer.
`2`	`3`	* `Unpacker#feed` is now an alias of `Unpacker#feed_reference`.
`3`	`4`	* Implement `Factory::Pool#unpacker` and `Factory::Pool#packer` to allow for more precise serialization.