From 16fa2e9b6d50a17c8434dbff9073edcf54cb77aa Mon Sep 17 00:00:00 2001
From: Vlad Brezae <brezaevlad@gmail.com>
Date: Wed, 29 Aug 2018 13:43:03 +0300
Subject: [PATCH] [sgen] Fix string size inconsistency between alloc/scan

This could lead to crashes when having strings with size at the LOS boundary.

https://github.com/mono/mono/issues/10309
---
 mono/metadata/object-internals.h | 2 ++
 mono/metadata/object.c           | 4 ++--
 mono/metadata/sgen-client-mono.h | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/mono/metadata/object-internals.h b/mono/metadata/object-internals.h
index 97bb44b85d4..d385d2afc04 100644
--- a/mono/metadata/object-internals.h
+++ b/mono/metadata/object-internals.h
@@ -153,6 +153,8 @@ struct _MonoString {
 	mono_unichar2 chars [MONO_ZERO_LEN_ARRAY];
 };
 
+#define MONO_SIZEOF_MONO_STRING (MONO_STRUCT_OFFSET (MonoString, chars))
+
 #define mono_object_class(obj) (((MonoObject*)(obj))->vtable->klass)
 #define mono_object_domain(obj) (((MonoObject*)(obj))->vtable->domain)
 
diff --git a/mono/metadata/object.c b/mono/metadata/object.c
index 6dff67fb9cc..6f84ea79ae0 100644
--- a/mono/metadata/object.c
+++ b/mono/metadata/object.c
@@ -6998,7 +6998,7 @@ mono_object_get_size (MonoObject* o)
 
 	MonoClass* klass = mono_object_class (o);
 	if (klass == mono_defaults.string_class) {
-		return sizeof (MonoString) + 2 * mono_string_length ((MonoString*) o) + 2;
+		return MONO_SIZEOF_MONO_STRING + 2 * mono_string_length ((MonoString*) o) + 2;
 	} else if (o->vtable->rank) {
 		MonoArray *array = (MonoArray*)o;
 		size_t size = MONO_SIZEOF_MONO_ARRAY + mono_array_element_size (klass) * mono_array_length (array);
@@ -7241,7 +7241,7 @@ mono_string_get_pinned (MonoString *str, MonoError *error)
 		return str;
 	int size;
 	MonoString *news;
-	size = sizeof (MonoString) + 2 * (mono_string_length (str) + 1);
+	size = MONO_SIZEOF_MONO_STRING + 2 * (mono_string_length (str) + 1);
 	news = (MonoString *)mono_gc_alloc_pinned_obj (((MonoObject*)str)->vtable, size);
 	if (news) {
 		memcpy (mono_string_chars (news), mono_string_chars (str), mono_string_length (str) * 2);
diff --git a/mono/metadata/sgen-client-mono.h b/mono/metadata/sgen-client-mono.h
index 4dcbb896c34..3ed143fd1dc 100644
--- a/mono/metadata/sgen-client-mono.h
+++ b/mono/metadata/sgen-client-mono.h
@@ -115,7 +115,7 @@ sgen_client_slow_object_get_size (GCVTable vtable, GCObject* o)
 	 * mono_array_length_fast not using the object's vtable.
 	 */
 	if (klass == mono_defaults.string_class) {
-		return G_STRUCT_OFFSET (MonoString, chars) + 2 * mono_string_length_fast ((MonoString*) o) + 2;
+		return MONO_SIZEOF_MONO_STRING + 2 * mono_string_length_fast ((MonoString*) o) + 2;
 	} else if (m_class_get_rank (klass)) {
 		return sgen_mono_array_size (vtable, (MonoArray*)o, NULL, 0);
 	} else {
-- 
2.11.4.GIT