From d43279edacd09edf3a43e02d62f5be475e7c3bcb Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sat, 28 Aug 2021 10:29:17 -0400
Subject: [PATCH] Fix length calculation for Array#slice!

Commit 4f24255 introduced a bug which allows a length to be passed to
rb_ary_new4 which is too large, resulting in invalid memory access.

For example:

    (1..1000).to_a.slice!(-2, 1000)
---
 array.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/array.c b/array.c
index bd323cd6b0..edac2169f9 100644
--- a/array.c
+++ b/array.c
@@ -4096,7 +4096,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len)
     else if (orig_len < pos) {
         return Qnil;
     }
-    else if (orig_len < pos + len) {
+    if (orig_len < pos + len) {
         len = orig_len - pos;
     }
     if (len == 0) {