From c23fd46d841d8d452c02ae4fc796042f2fb86424 Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Wed, 25 Apr 2018 23:40:22 -0700
Subject: vm: heap corruption bug.

* vm.c (vm_execute_toplevel): Fix data vector being assigned
to the wrong display frame, leaving vm.dspl[1].vec
uninitialized. Why is that a problem? Because the VM depends
on these vectors when performing the vm_set operation: if a
frame register is stored, and the frame has an associated
vector, mut_obj is invoked on that vector. Now that there
exists the load-time operator, the d regs (which live in
dspl[1]) can be mutated.  That causes mut_obj to be called
with garbage. This was all discovered during testing on PPC64.
---
 vm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'vm.c')

diff --git a/vm.c b/vm.c
index 8119fcf0..218d427a 100644
--- a/vm.c
+++ b/vm.c
@@ -999,7 +999,7 @@ val vm_execute_toplevel(val desc)
   vm.dspl[0].vec = nil;
 
   vm.dspl[1].mem = vd->data;
-  vm.dspl[0].vec = vd->datavec;
+  vm.dspl[1].vec = vd->datavec;
 
   return vm_execute(&vm);
 }
-- 
cgit v1.2.3