From ffa8ac3a590fe2a10eab5fb47a18c0e3393fa730 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 20 Jun 2022 10:44:45 +0200
Subject: prog: fix out-of-bounds access in any blob mutation

If we grow any blob during mutation, we allocate a new address for it
(so that it does not overlap with other data).
To do this we call analyze after the mutation.
However, after mutation the blob can grow out of bounds of the data area
and analyze will cause out-of-bounds access during marking of existing
allocations.

Fix this by calling analyze before we mutate the blob.

Also while we are here use the proper call for analyze.
Currently we always analyze only the first call,
which is wrong (probably a latent TODO from initial implementation).

Fixes #3206
---
 prog/any.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'prog/any.go')

diff --git a/prog/any.go b/prog/any.go
index a5106683d..a9d275b1d 100644
--- a/prog/any.go
+++ b/prog/any.go
@@ -60,11 +60,16 @@ func (target *Target) isAnyPtr(typ Type) bool {
 	return ok && ptr.Elem == target.any.array
 }
 
-func (p *Prog) complexPtrs() (res []*PointerArg) {
+type complexPtr struct {
+	arg  *PointerArg
+	call *Call
+}
+
+func (p *Prog) complexPtrs() (res []complexPtr) {
 	for _, c := range p.Calls {
 		ForeachArg(c, func(arg Arg, ctx *ArgCtx) {
 			if ptrArg, ok := arg.(*PointerArg); ok && p.Target.isComplexPtr(ptrArg) {
-				res = append(res, ptrArg)
+				res = append(res, complexPtr{ptrArg, c})
 				ctx.Stop = true
 			}
 		})
-- 
cgit mrf-deployment