From c032c5bc9acb015dbe2947a39d3d7ce033c934ee Mon Sep 17 00:00:00 2001
From: glass <glass@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sat, 3 Nov 2012 03:21:47 +0000
Subject: [PATCH] * array.c (recursive_equal): fix not to make invalid pointers
 when   self and other are resized to same size in #== of their elements.  
 [ruby-dev:46373] [Feature #6177]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@37438 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 6 ++++++
 array.c   | 8 +++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8af4911def..a52c0aa10b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Sat Nov  3 12:18:35 2012  Masaki Matsushita  <glass.saga@gmail.com>
+
+	* array.c (recursive_equal): fix not to make invalid pointers when
+	  self and other are resized to same size in #== of their elements.
+	  [ruby-dev:46373] [Feature #6177]
+
 Sat Nov  3 12:06:15 2012  Kouhei Sutou  <kou@cozmixng.org>
 
 	* test/rexml/test_xml_declaration.rb (TestXmlDeclaration#test_*):
diff --git a/array.c b/array.c
index ac6074d3c1..f4750696fd 100644
--- a/array.c
+++ b/array.c
@@ -3269,18 +3269,20 @@ rb_ary_rassoc(VALUE ary, VALUE value)
 static VALUE
 recursive_equal(VALUE ary1, VALUE ary2, int recur)
 {
-    long i;
+    long i, len1;
     VALUE *p1, *p2;
 
     if (recur) return Qtrue; /* Subtle! */
 
     p1 = RARRAY_PTR(ary1);
     p2 = RARRAY_PTR(ary2);
+    len1 = RARRAY_LEN(ary1);
 
-    for (i = 0; i < RARRAY_LEN(ary1); i++) {
+    for (i = 0; i < len1; i++) {
 	if (*p1 != *p2) {
 	    if (rb_equal(*p1, *p2)) {
-		if (RARRAY_LEN(ary1) != RARRAY_LEN(ary2))
+		len1 = RARRAY_LEN(ary1);
+		if (len1 != RARRAY_LEN(ary2) || len1 < i)
 		    return Qfalse;
 		p1 = RARRAY_PTR(ary1) + i;
 		p2 = RARRAY_PTR(ary2) + i;