From 23e57e59556f42d6935b65be63b59a8b0fc0e6ad Mon Sep 17 00:00:00 2001
From: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Date: Thu, 21 Oct 2021 23:35:05 +0700
Subject: [PATCH] reflect: make Value.Pointer panic on bad notinheap pointers

Same as CL 350153 did for Value.Elem to panic on bad notinheap pointers.
While at it, also add more tests for notinheap deref.

Change-Id: Id7d9d12ad8467de5926b6a7e8f9d659fea5fedb5
Reviewed-on: https://go-review.googlesource.com/c/go/+/357630
Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Keith Randall <khr@golang.org>
---
 src/reflect/all_test.go |  2 ++
 src/reflect/value.go    | 12 +++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/reflect/all_test.go b/src/reflect/all_test.go
index fcd0e15f0a..922998125b 100644
--- a/src/reflect/all_test.go
+++ b/src/reflect/all_test.go
@@ -7721,6 +7721,8 @@ func TestNotInHeapDeref(t *testing.T) {
 
 	v = ValueOf((*nih)(unsafe.Pointer(new(int))))
 	shouldPanic("reflect: reflect.Value.Elem on an invalid notinheap pointer", func() { v.Elem() })
+	shouldPanic("reflect: reflect.Value.Pointer on an invalid notinheap pointer", func() { v.Pointer() })
+	shouldPanic("reflect: reflect.Value.UnsafePointer on an invalid notinheap pointer", func() { v.UnsafePointer() })
 }
 
 func TestMethodCallValueCodePtr(t *testing.T) {
diff --git a/src/reflect/value.go b/src/reflect/value.go
index 7bb8ae5b97..3e723e82a4 100644
--- a/src/reflect/value.go
+++ b/src/reflect/value.go
@@ -1940,11 +1940,13 @@ func (v Value) Pointer() uintptr {
 	switch k {
 	case Ptr:
 		if v.typ.ptrdata == 0 {
-			// Handle pointers to go:notinheap types directly,
-			// so we never materialize such pointers as an
-			// unsafe.Pointer. (Such pointers are always indirect.)
-			// See issue 42076.
-			return *(*uintptr)(v.ptr)
+			val := *(*uintptr)(v.ptr)
+			// Since it is a not-in-heap pointer, all pointers to the heap are
+			// forbidden! See comment in Value.Elem and issue #48399.
+			if !verifyNotInHeapPtr(val) {
+				panic("reflect: reflect.Value.Pointer on an invalid notinheap pointer")
+			}
+			return val
 		}
 		fallthrough
 	case Chan, Map, UnsafePointer:
-- 
2.50.0