From 328a9c8310e8bab250b04e9e001ab0d890d33074 Mon Sep 17 00:00:00 2001
From: dec05eba <dec05eba@protonmail.com>
Date: Tue, 23 Apr 2019 01:30:43 +0200
Subject: Fix buffer overflow in ssa_ins_call

---
 src/ssa/ssa.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/ssa')

diff --git a/src/ssa/ssa.c b/src/ssa/ssa.c
index 3afe7ed..e7434f8 100644
--- a/src/ssa/ssa.c
+++ b/src/ssa/ssa.c
@@ -218,7 +218,7 @@ int ssa_ins_push(Ssa *self, SsaRegister reg) {
 
     return_if_error(buffer_append_empty(&self->instructions, sizeof(u8) + sizeof(SsaRegister)));
     self->instructions.data[index + 0] = SSA_PUSH;
-    am_memcpy(self->instructions.data + index + 1, &reg, sizeof(reg));
+    am_memcpy(self->instructions.data + index + 1, &reg, sizeof(SsaRegister));
     amal_log_debug("PUSH r%u", reg);
     return 0;
 }
@@ -231,11 +231,11 @@ int ssa_ins_call(Ssa *self, FunctionDecl *func_decl, SsaRegister *result) {
     if(self->reg_counter + 1 < self->reg_counter)
         return -1;
 
-    return_if_error(buffer_append_empty(&self->instructions, sizeof(u8) + sizeof(func_decl) + sizeof(SsaRegister)));
+    return_if_error(buffer_append_empty(&self->instructions, sizeof(u8) + sizeof(SsaRegister) + sizeof(func_decl)));
     *result = self->reg_counter++;
     self->instructions.data[index + 0] = SSA_CALL;
     am_memcpy(self->instructions.data + index + 1, result, sizeof(*result));
-    am_memcpy(self->instructions.data + index + 1 + sizeof(func_decl), &func_decl, sizeof(func_decl));
+    am_memcpy(self->instructions.data + index + 1 + sizeof(SsaRegister), &func_decl, sizeof(func_decl));
     amal_log_debug("r%u = CALL %p", *result, func_decl);
     return 0;
 }
-- 
cgit v1.2.3