array.c

4 years ago

Array: array_search() may not change needle's type · 83ac4caa

Tobias S. Josefowitz authored 4 years ago

If the needle supplied to array_search() was a destructed object,
array_search() would convert it to (PIKE_T_INT,NUMBER_DESTRUCTED)-type 0
in-place.

Since array_search() is sometimes called with the needle residing in
another array - for example when ORing arrays - this would introduce
PIKE_T_INT items into such arrays without reflecting this in said
array's type_field.

If the type_field would then later on (still) only have BIT_OBJECT set,
we would call free_object() on the thus introduced PIKE_T_INT when
freeing array items, leading straight to a segmentation fault.

83ac4caa

History

Array: array_search() may not change needle's type

Tobias S. Josefowitz authored 4 years ago

If the needle supplied to array_search() was a destructed object,
array_search() would convert it to (PIKE_T_INT,NUMBER_DESTRUCTED)-type 0
in-place.

Since array_search() is sometimes called with the needle residing in
another array - for example when ORing arrays - this would introduce
PIKE_T_INT items into such arrays without reflecting this in said
array's type_field.

If the type_field would then later on (still) only have BIT_OBJECT set,
we would call free_object() on the thus introduced PIKE_T_INT when
freeing array items, leading straight to a segmentation fault.