Skip to content

Commit 78e38f5

Browse files
bnoordhuisbnoordhuis
committed
src: fix uninitialized memory dereference
The elements of the heap-allocated TaskQueue::ring_ array in src/node_v8_platform.cc were compared against without being initialized first. Fixes node-forward/node#33. PR-URL: node-forward/node#34 Reviewed-By: Fedor Indutny <fedor@indutny.com>
1 parent 081e94a commit 78e38f5

File tree

2 files changed

+9
-13
lines changed

2 files changed

+9
-13
lines changed

src/node_v8_platform.cc

Lines changed: 4 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -98,12 +98,9 @@ void Platform::WorkerBody(void* arg) {
9898
TaskQueue::TaskQueue() {
9999
int err;
100100

101-
static_assert(kRingSize == (kRingSize & (~(kRingSize - 1))),
102-
"kRingSize is not a power of two");
101+
for (size_t i = 0; i < ARRAY_SIZE(ring_); i += 1)
102+
ring_[i] = nullptr;
103103

104-
size_ = kRingSize;
105-
ring_ = new Task*[size_];
106-
mask_ = size_ - 1;
107104
read_off_ = 0;
108105
write_off_ = 0;
109106

@@ -120,9 +117,6 @@ TaskQueue::TaskQueue() {
120117

121118
TaskQueue::~TaskQueue() {
122119
CHECK_EQ(read_off_, write_off_);
123-
124-
delete[] ring_;
125-
ring_ = nullptr;
126120
uv_sem_destroy(&sem_);
127121
uv_cond_destroy(&cond_);
128122
uv_mutex_destroy(&mutex_);
@@ -138,7 +132,7 @@ void TaskQueue::Push(Task* task) {
138132

139133
ring_[write_off_] = task;
140134
write_off_++;
141-
write_off_ &= mask_;
135+
write_off_ &= kRingMask;
142136
uv_mutex_unlock(&mutex_);
143137

144138
uv_sem_post(&sem_);
@@ -154,7 +148,7 @@ Task* TaskQueue::Shift() {
154148
uv_cond_signal(&cond_);
155149

156150
read_off_++;
157-
read_off_ &= mask_;
151+
read_off_ &= kRingMask;
158152
uv_mutex_unlock(&mutex_);
159153

160154
return task;

src/node_v8_platform.h

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,15 +37,17 @@ class TaskQueue {
3737

3838
private:
3939
static const unsigned int kRingSize = 1024;
40+
static const unsigned int kRingMask = kRingSize - 1;
41+
42+
static_assert(kRingSize == (kRingSize & ~kRingMask),
43+
"kRingSize is not a power of two");
4044

4145
uv_sem_t sem_;
4246
uv_cond_t cond_;
4347
uv_mutex_t mutex_;
44-
v8::Task** ring_;
45-
unsigned int size_;
46-
unsigned int mask_;
4748
unsigned int read_off_;
4849
unsigned int write_off_;
50+
v8::Task* ring_[kRingSize];
4951
};
5052

5153
class Platform : public v8::Platform {

0 commit comments

Comments
 (0)