added safeguard to ensure that PgfRevision is an actual object

2021-09-08 09:17:12 +02:00
parent f741bd9332
commit 2e846cdf59
4 changed files with 35 additions and 17 deletions
--- a/src/runtime/c/pgf/data.h
+++ b/src/runtime/c/pgf/data.h
@@ -8,11 +8,6 @@
 #include <stdexcept>

 #include "pgf.h"
-#include "db.h"
-#include "text.h"
-#include "vector.h"
-#include "namespace.h"
-#include "expr.h"

 class PGF_INTERNAL_DECL pgf_error : public std::runtime_error {
 public:
@@ -59,6 +54,12 @@ private:
    const char *m_filepath;
 };

+#include "db.h"
+#include "text.h"
+#include "vector.h"
+#include "namespace.h"
+#include "expr.h"
+
 struct PGF_INTERNAL_DECL PgfFlag {
    PgfLiteral value;
    PgfText name;
--- a/src/runtime/c/pgf/db.cxx
+++ b/src/runtime/c/pgf/db.cxx
@@ -958,6 +958,13 @@ void PgfDB::free_internal(object o)
    }
 }

+bool PgfDB::is_valid_object(object o, size_t bytes)
+{
+    if (o <= sizeof(*ms) || o >= ms->top)
+        return false;
+    mchunk *chunk = mem2chunk(ptr(ms,o));
+    return (chunksize(chunk) == request2size(bytes));
+}

 DB_scope::DB_scope(PgfDB *db, DB_scope_mode tp)
 {
--- a/src/runtime/c/pgf/db.h
+++ b/src/runtime/c/pgf/db.h
@@ -93,6 +93,14 @@ public:
        current_db->set_root_internal(root.offset);
    }

+    template<class A>
+    static ref<A> safe_object2ref(object o) {
+        if (!current_db->is_valid_object(o, sizeof(A)))
+            throw pgf_error("Invalid database object");
+        return o;
+    }
+
+
    PGF_INTERNAL_DECL static void sync();

 private:
@@ -104,6 +112,8 @@ private:
    PGF_INTERNAL_DECL object get_root_internal();
    PGF_INTERNAL_DECL void set_root_internal(object root_offset);

+    PGF_INTERNAL_DECL bool is_valid_object(object o, size_t bytes);
+
    PGF_INTERNAL_DECL unsigned char* relocate(unsigned char* ptr);

    friend class DB_scope;
--- a/src/runtime/c/pgf/pgf.cxx
+++ b/src/runtime/c/pgf/pgf.cxx
@@ -160,7 +160,7 @@ PgfText *pgf_abstract_name(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        return textdup(&(*pgf->abstract.name));
    } PGF_API_END
@@ -174,7 +174,7 @@ void pgf_iter_categories(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);
    
        namespace_iter(pgf->abstract.cats, itor, err);
    } PGF_API_END
@@ -187,7 +187,7 @@ PgfType pgf_start_cat(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        PgfText *startcat = (PgfText *)
            alloca(sizeof(PgfText)+9);
@@ -228,7 +228,7 @@ PgfTypeHypo *pgf_category_context(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        ref<PgfAbsCat> abscat =
            namespace_lookup(pgf->abstract.cats, catname);
@@ -262,7 +262,7 @@ prob_t pgf_category_prob(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        ref<PgfAbsCat> abscat =
            namespace_lookup(pgf->abstract.cats, catname);
@@ -282,7 +282,7 @@ void pgf_iter_functions(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        pgf_exn_clear(err);
        namespace_iter(pgf->abstract.funs, itor, err);
@@ -311,7 +311,7 @@ void pgf_iter_functions_by_cat(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        PgfItorHelper helper;
        helper.fn   = iter_by_cat_helper;
@@ -329,7 +329,7 @@ PgfType pgf_function_type(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        ref<PgfAbsFun> absfun =
            namespace_lookup(pgf->abstract.funs, funname);
@@ -349,7 +349,7 @@ int pgf_function_is_constructor(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        ref<PgfAbsFun> absfun =
            namespace_lookup(pgf->abstract.funs, funname);
@@ -369,7 +369,7 @@ prob_t pgf_function_prob(PgfDB *db, PgfRevision revision,
 {
    PGF_API_BEGIN {
        DB_scope scope(db, READER_SCOPE);
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        ref<PgfAbsFun> absfun =
            namespace_lookup(pgf->abstract.funs, funname);
@@ -435,7 +435,7 @@ PgfRevision pgf_clone_revision(PgfDB *db, PgfRevision revision,
    pgf_exn_clear(err);

    try {
-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);

        ref<PgfPGF> new_pgf = PgfDB::malloc<PgfPGF>();
        new_pgf->major_version = pgf->major_version;
@@ -488,7 +488,7 @@ void pgf_create_function(PgfDB *db, PgfRevision revision,
    try {
        PgfDBUnmarshaller u(m);

-        ref<PgfPGF> pgf = revision;
+        ref<PgfPGF> pgf = PgfDB::safe_object2ref<PgfPGF>(revision);
        ref<PgfAbsFun> absfun = PgfDB::malloc<PgfAbsFun>(sizeof(PgfAbsFun)+name->size+1);
        absfun->type  = m->match_type(&u, ty);
        absfun->arity = 0;