From 21035c826db5933cf836a4a12fb74b696a76b255 Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Sat, 3 May 2025 11:20:23 -0700
Subject: [PATCH] Handle mutating of array passed to Set.new during iteration

This avoids a heap-use-after-free.

Fixes [Bug #21306]
---
 set.c                 | 19 +++++++------------
 test/ruby/test_set.rb |  5 +++++
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/set.c b/set.c
index 0f72a8ea4d..6fb04d8788 100644
--- a/set.c
+++ b/set.c
@@ -494,18 +494,13 @@ set_i_initialize(int argc, VALUE *argv, VALUE set)
 
     if (argc > 0 && (other = argv[0]) != Qnil) {
         if (RB_TYPE_P(other, T_ARRAY)) {
-            long len = RARRAY_LEN(other);
-            if (RARRAY_LEN(other) != 0) {
-                set_table *into = RSET_TABLE(set);
-                VALUE key;
-                int block_given = rb_block_given_p();
-                RARRAY_PTR_USE(other, ptr, {
-                    for(; len > 0; len--, ptr++) {
-                        key = *ptr;
-                        if (block_given) key = rb_yield(key);
-                        set_table_insert_wb(into, set, key, NULL);
-                    }
-                });
+            long i;
+            int block_given = rb_block_given_p();
+            set_table *into = RSET_TABLE(set);
+            for (i=0; i<RARRAY_LEN(other); i++) {
+                VALUE key = RARRAY_AREF(other, i);
+                if (block_given) key = rb_yield(key);
+                set_table_insert_wb(into, set, key, NULL);
             }
         }
         else {
diff --git a/test/ruby/test_set.rb b/test/ruby/test_set.rb
index 225b7da78c..2bb7858eb2 100644
--- a/test/ruby/test_set.rb
+++ b/test/ruby/test_set.rb
@@ -643,6 +643,11 @@ class TC_Set < Test::Unit::TestCase
     assert_equal([o], Set.new.merge(a).to_a)
   end
 
+  def test_initialize_mutating_array_bug_21306
+    a = (1..100).to_a
+    assert_equal(Set[0], Set.new(a){a.clear; 0})
+  end
+
   def test_subtract
     set = Set[1,2,3]