Skip to content

Commit b4d0179

Browse files
Steal the ownership of the string in string_hash_to_newline to avoid use-after-free issues
Before, GML code like this "string_hash_to_newline(string("a"))" would cause issues, because string() returns a owning string To fix this, we now "steal" the ownership of the string, to let the "ownership" of the string to be passed from string to string_hash_to_newline
1 parent bb2551a commit b4d0179

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

src/vm_builtins.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4515,7 +4515,7 @@ static RValue builtinPathEnd(VMContext* ctx, MAYBE_UNUSED RValue* args, MAYBE_UN
45154515
// string_hash_to_newline - converts # to \n in a string
45164516
static RValue builtinStringHashToNewline(MAYBE_UNUSED VMContext* ctx, RValue* args, int32_t argCount) {
45174517
if (1 > argCount) return RValue_makeString("");
4518-
RValue original = args[0];
4518+
RValue original = args[0]; // This is a copy
45194519

45204520
if (original.type != RVALUE_STRING) {
45214521
// Fast path: If the argument is not a string, return a copy of it
@@ -4528,8 +4528,9 @@ static RValue builtinStringHashToNewline(MAYBE_UNUSED VMContext* ctx, RValue* ar
45284528
}
45294529

45304530
if (strchr(original.string, '#') == nullptr) {
4531-
// Fast path: if there isn't a "#" in the string, we can return a non-owning reference to avoid copying the string
4532-
return RValue_makeString(original.string);
4531+
// Fast path: if there isn't a "#" in the string, we can steal the reference to avoid copying the string
4532+
args[0].ownsString = false; // We are stealing the ownership of this, kthxbye
4533+
return original;
45334534
}
45344535

45354536
char *result = TextUtils_preprocessGmlText(original.string);

0 commit comments

Comments
 (0)