1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix length calculation for Array#slice!

Browse Source 
Commit 4f24255 introduced a bug which allows a length to be passed to
rb_ary_new4 which is too large, resulting in invalid memory access.

For example:

    (1..1000).to_a.slice!(-2, 1000)
This commit is contained in:
Mike Dalessio 2021-08-28 10:29:17 -04:00 committed by Nobuyoshi Nakada
parent 7e36b91526
commit d43279edac
Notes: git 2021-08-29 09:41:56 +09:00 
Merged: https://github.com/ruby/ruby/pull/4787
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
array.c
View File

@ -4096,7 +4096,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len)
else if (orig_len < pos) { else if (orig_len < pos) {
return Qnil; return Qnil;
} }
else if (orig_len < pos + len) { if (orig_len < pos + len) {
len = orig_len - pos; len = orig_len - pos;
} }
if (len == 0) { if (len == 0) {