_msgpack_rmem_alloc2: reset head.pages pointer before allocating them.

byroot · byroot · commit f7e765257c0e · 2023-03-27T14:20:00.000+02:00
`xmalloc` may trigger GC, if it does, some buffers may be freed by ruby and if they were in the previous head, they'll free themselves out of the head. Fix: #327
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,4 @@
+* Fix a possible double-free issue when GC triggers inside `_msgpack_rmem_alloc2`.
 * `Unpacker#feed` now always directly read in provided strings instead of copying content in its buffer.
 * `Unpacker#feed` is now an alias of `Unpacker#feed_reference`.
 * Implement `Factory::Pool#unpacker` and `Factory::Pool#packer` to allow for more precise serialization.
diff --git a/ext/msgpack/rmem.c b/ext/msgpack/rmem.c
@@ -70,6 +70,7 @@ void* _msgpack_rmem_alloc2(msgpack_rmem_t* pm)
     pm->head = *c;
     *c = tmp;
 
+    pm->head.pages = NULL; /* make sure we don't point to another chunk's pages in case xmalloc triggers GC */
     pm->head.mask = 0xffffffff & (~1);  /* "& (~1)" means first chunk is already allocated */
     pm->head.pages = xmalloc(MSGPACK_RMEM_PAGE_SIZE * 32);
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	+* Fix a possible double-free issue when GC triggers inside `_msgpack_rmem_alloc2`.
`1`	`2`	* `Unpacker#feed` now always directly read in provided strings instead of copying content in its buffer.
`2`	`3`	* `Unpacker#feed` is now an alias of `Unpacker#feed_reference`.
`3`	`4`	* Implement `Factory::Pool#unpacker` and `Factory::Pool#packer` to allow for more precise serialization.