1 files changed, 24 insertions, 4 deletions

diff --git a/sljit/sljitExecAllocator.c b/sljit/sljitExecAllocator.c
index 3b37a97..92ddb94 100644
--- a/sljit/sljitExecAllocator.c
+++ b/sljit/sljitExecAllocator.c
@@ -118,10 +118,20 @@ static SLJIT_INLINE int get_map_jit_flag()
 	if (map_jit_flag == -1) {
 		struct utsname name;
 
+		map_jit_flag = 0;
 		uname(&name);
 
 		/* Kernel version for 10.14.0 (Mojave) */
-		map_jit_flag = (atoi(name.release) >= 18) ? MAP_JIT : 0;
+		if (atoi(name.release) >= 18) {
+			/* Only use MAP_JIT if a hardened runtime is used, because MAP_JIT is incompatible with fork(). */
+			void *ptr = mmap(NULL, getpagesize(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+
+			if (ptr == MAP_FAILED) {
+				map_jit_flag = MAP_JIT;
+			} else {
+				munmap(ptr, getpagesize());
+			}
+		}
 	}
 
 	return map_jit_flag;
@@ -137,6 +147,7 @@ static SLJIT_INLINE int get_map_jit_flag()
 static SLJIT_INLINE void* alloc_chunk(sljit_uw size)
 {
 	void *retval;
+	const int prot = PROT_READ | PROT_WRITE | PROT_EXEC;
 
 #ifdef MAP_ANON
 
@@ -146,16 +157,25 @@ static SLJIT_INLINE void* alloc_chunk(sljit_uw size)
 	flags |= get_map_jit_flag();
 #endif
 
-	retval = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, -1, 0);
+	retval = mmap(NULL, size, prot, flags, -1, 0);
 #else /* !MAP_ANON */
 	if (dev_zero < 0) {
 		if (open_dev_zero())
 			return NULL;
 	}
-	retval = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, dev_zero, 0);
+	retval = mmap(NULL, size, prot, MAP_PRIVATE, dev_zero, 0);
 #endif /* MAP_ANON */
 
-	return (retval != MAP_FAILED) ? retval : NULL;
+	if (retval == MAP_FAILED)
+		retval = NULL;
+	else {
+		if (mprotect(retval, size, prot) < 0) {
+			munmap(retval, size);
+			retval = NULL;
+		}
+	}
+
+	return retval;
 }
 
 static SLJIT_INLINE void free_chunk(void *chunk, sljit_uw size)