From 470b6bb77d93f500105b927d2e99053496217873 Mon Sep 17 00:00:00 2001
From: Rodrigo Kumpera <kumpera@gmail.com>
Date: Tue, 12 Sep 2017 10:30:13 -0700
Subject: [PATCH] [verifier] Allow byref in PropertySig blobs. Fixes #59180

---
 mono/metadata/metadata-verify.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/mono/metadata/metadata-verify.c b/mono/metadata/metadata-verify.c
index 666c158332e..e898178e00a 100644
--- a/mono/metadata/metadata-verify.c
+++ b/mono/metadata/metadata-verify.c
@@ -1514,6 +1514,7 @@ parse_method_signature (VerifyContext *ctx, const char **_ptr, const char *end,
 static gboolean
 parse_property_signature (VerifyContext *ctx, const char **_ptr, const char *end)
 {
+	unsigned type = 0;
 	unsigned sig = 0;
 	unsigned param_count = 0, i;
 	const char *ptr = *_ptr;
@@ -1530,6 +1531,13 @@ parse_property_signature (VerifyContext *ctx, const char **_ptr, const char *end
 	if (!parse_custom_mods (ctx, &ptr, end))
 		return FALSE;
 
+	if (!safe_read8 (type, ptr, end))
+		FAIL (ctx, g_strdup ("PropertySig: Not enough room for the type"));
+
+	//check if it's a byref. safe_read8 did update ptr, so we rollback if it's not a byref
+	if (type != MONO_TYPE_BYREF)
+		--ptr;
+
 	if (!parse_type (ctx, &ptr, end))
 		FAIL (ctx, g_strdup ("PropertySig: Could not parse property type"));
 
-- 
2.25.1