From 168f64f4cb55a7055261a4c66ca54f496e96b503 Mon Sep 17 00:00:00 2001 From: chriseth Date: Fri, 23 Jun 2017 17:20:07 +0200 Subject: [PATCH] Fix negative stack size checks. --- Changelog.md | 1 + libevmasm/Assembly.cpp | 1 + libsolidity/codegen/ContractCompiler.cpp | 10 ++++++++++ libsolidity/codegen/ExpressionCompiler.cpp | 1 + 4 files changed, 13 insertions(+) diff --git a/Changelog.md b/Changelog.md index c12afcd20..8b44934d1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -28,6 +28,7 @@ Bugfixes: * Fixed crash concerning non-callable types. * Unused variable warnings no longer issued for variables used inside inline assembly. * Code Generator: Fix ABI encoding of empty literal string. + * Code Generator: Fix negative stack size checks. * Inline Assembly: Enforce function arguments when parsing functional instructions. * Fixed segfault with constant function parameters diff --git a/libevmasm/Assembly.cpp b/libevmasm/Assembly.cpp index 27199b7b2..597fdae19 100644 --- a/libevmasm/Assembly.cpp +++ b/libevmasm/Assembly.cpp @@ -328,6 +328,7 @@ Json::Value Assembly::stream(ostream& _out, string const& _prefix, StringMap con AssemblyItem const& Assembly::append(AssemblyItem const& _i) { + assertThrow(m_deposit >= 0, AssemblyException, ""); m_deposit += _i.deposit(); m_items.push_back(_i); if (m_items.back().location().isEmpty() && !m_currentSourceLocation.isEmpty()) diff --git a/libsolidity/codegen/ContractCompiler.cpp b/libsolidity/codegen/ContractCompiler.cpp index 977a2c7ce..61a90050f 100644 --- a/libsolidity/codegen/ContractCompiler.cpp +++ b/libsolidity/codegen/ContractCompiler.cpp @@ -267,12 +267,16 @@ void ContractCompiler::appendFunctionSelector(ContractDefinition const& _contrac m_context << notFound; if (fallback) { + m_context.setStackOffset(0); if (!fallback->isPayable()) appendCallValueCheck(); eth::AssemblyItem returnTag = m_context.pushNewTag(); fallback->accept(*this); m_context << returnTag; + m_context.adjustStackOffset( + CompilerUtils(m_context).sizeOnStack(FunctionType(*fallback).returnParameterTypes()) - 1 + ); appendReturnValuePacker(FunctionType(*fallback).returnParameterTypes(), _contract.isLibrary()); } else @@ -285,6 +289,7 @@ void ContractCompiler::appendFunctionSelector(ContractDefinition const& _contrac CompilerContext::LocationSetter locationSetter(m_context, functionType->declaration()); m_context << callDataUnpackerEntryPoints.at(it.first); + m_context.setStackOffset(0); // We have to allow this for libraries, because value of the previous // call is still visible in the delegatecall. if (!functionType->isPayable() && !_contract.isLibrary()) @@ -295,6 +300,11 @@ void ContractCompiler::appendFunctionSelector(ContractDefinition const& _contrac appendCalldataUnpacker(functionType->parameterTypes()); m_context.appendJumpTo(m_context.functionEntryLabel(functionType->declaration())); m_context << returnTag; + m_context.adjustStackOffset( + CompilerUtils(m_context).sizeOnStack(functionType->returnParameterTypes()) - + CompilerUtils(m_context).sizeOnStack(functionType->parameterTypes()) - + 1 + ); appendReturnValuePacker(functionType->returnParameterTypes(), _contract.isLibrary()); } } diff --git a/libsolidity/codegen/ExpressionCompiler.cpp b/libsolidity/codegen/ExpressionCompiler.cpp index a65549fd8..9d4024c98 100644 --- a/libsolidity/codegen/ExpressionCompiler.cpp +++ b/libsolidity/codegen/ExpressionCompiler.cpp @@ -88,6 +88,7 @@ void ExpressionCompiler::appendStateVariableAccessor(VariableDeclaration const& FunctionType accessorType(_varDecl); TypePointers paramTypes = accessorType.parameterTypes(); + m_context.adjustStackOffset(1 + CompilerUtils::sizeOnStack(paramTypes)); // retrieve the position of the variable auto const& location = m_context.storageLocationOfVariable(_varDecl);