diff options
| author | Bernhard Urban-Forster <lewurm@gmail.com> | 2019-11-21 13:56:03 +0300 |
|---|---|---|
| committer | monojenkins <jo.shields+jenkins@xamarin.com> | 2019-11-21 13:56:03 +0300 |
| commit | 058d157648f593f41a2afbf878c0f401ecb804b7 (patch) | |
| tree | 8bbd75316d6042bc13b90f0eb47d33e7777dfb31 | |
| parent | b6e4ddd73c436ce23ae7036a7170f59b545e46b7 (diff) | |
[interp] fix array_element_size intrinsic (#17857)
[interp] fix array_element_size intrinsic
`mono_class_array_element_size` gives us the size of the provided MonoClass if it would be an array element. But here we want the element size of a given array's MonoClass. That's what `mono_array_element_size` is returning.
This leads to all kind of weird crashes otherwise, specifically here:
https://github.com/mono/mono/blob/2c20649539ac16e069a65f2a750c793eb341e50f/netcore/System.Private.CoreLib/src/System/Array.Mono.cs#L64
Which is then used later to compute the size to memset in order to clear the content of an array. If it's larger than it should be, then this will cause memory corruption. For example this would crash eventually:
```csharp
using System;
using System.Collections.Generic;
namespace HelloWorld {
class Program {
static void Main(string[] args) {
for (int j = 0; j < 0x1000; j++) {
var d = new Dictionary<string, string> ();
for (int i = 0; i < 197; i++)
d.Add (i + "", i + "foo");
d.Clear ();
}
}
}
}
```
Thanks to @EgorBo for reporting.
| -rw-r--r-- | mono/mini/interp/interp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/mono/mini/interp/interp.c b/mono/mini/interp/interp.c index 7ccd3a8cf81..37712682465 100644 --- a/mono/mini/interp/interp.c +++ b/mono/mini/interp/interp.c @@ -5584,7 +5584,7 @@ common_vcall: MINT_IN_CASE(MINT_ARRAY_ELEMENT_SIZE) { MonoObject* const o = sp [-1].data.o; NULL_CHECK (o); - sp [-1].data.i = mono_class_array_element_size (mono_object_class (o)); + sp [-1].data.i = mono_array_element_size (mono_object_class (o)); ip++; MINT_IN_BREAK; } |