From 18c649598635b218b39a0cd5d4bee9b58ea5eb91 Mon Sep 17 00:00:00 2001
From: Trung Nguyen <57174311+trungnt2910@users.noreply.github.com>
Date: Tue, 6 Jun 2023 00:39:48 +1000
Subject: [PATCH] [VM] Fix potential double free (#86207)

Use a raw char `NewArrayHolder` instead of a `NewHolder` to store
the `StackingAllocator` to prevent its destructor from being
called twice since `StackingAllocatorHolder` has already taken
care of the destruction.
---
 src/coreclr/vm/stackingallocator.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/coreclr/vm/stackingallocator.h b/src/coreclr/vm/stackingallocator.h
index a937bf942201a..2753de73908b4 100644
--- a/src/coreclr/vm/stackingallocator.h
+++ b/src/coreclr/vm/stackingallocator.h
@@ -227,7 +227,7 @@ private :
   Thread *pThread__ACQUIRE_STACKING_ALLOCATOR = GetThread(); \
   StackingAllocator *stackingAllocatorName = pThread__ACQUIRE_STACKING_ALLOCATOR->m_stackLocalAllocator; \
   bool allocatorOwner__ACQUIRE_STACKING_ALLOCATOR = false; \
-  NewHolder<StackingAllocator> heapAllocatedStackingBuffer__ACQUIRE_STACKING_ALLOCATOR; \
+  NewArrayHolder<char> heapAllocatedStackingBuffer__ACQUIRE_STACKING_ALLOCATOR; \
 \
   if (stackingAllocatorName == NULL) \
   { \
@@ -237,10 +237,11 @@ private :
       } \
       else \
       {\
-          stackingAllocatorName = new (nothrow) StackingAllocator; \
-          if (stackingAllocatorName == NULL) \
+          char *pBuffer__ACQUIRE_STACKING_ALLOCATOR = new (nothrow) char[sizeof(StackingAllocator)]; \
+          if (pBuffer__ACQUIRE_STACKING_ALLOCATOR == NULL) \
               ThrowOutOfMemory(); \
-          heapAllocatedStackingBuffer__ACQUIRE_STACKING_ALLOCATOR = stackingAllocatorName; \
+          heapAllocatedStackingBuffer__ACQUIRE_STACKING_ALLOCATOR = pBuffer__ACQUIRE_STACKING_ALLOCATOR; \
+          stackingAllocatorName = new (pBuffer__ACQUIRE_STACKING_ALLOCATOR) StackingAllocator; \
       }\
       allocatorOwner__ACQUIRE_STACKING_ALLOCATOR = true; \
   } \