ruby-changes:45046
From: rhe <ko1@a...>
Date: Tue, 20 Dec 2016 14:26:12 +0900 (JST)
Subject: [ruby-changes:45046] rhe:r57119 (trunk): array.c: check array length every time after yielding
rhe 2016-12-20 14:26:08 +0900 (Tue, 20 Dec 2016) New Revision: 57119 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=57119 Log: array.c: check array length every time after yielding Since the Array may be modified during rb_yield(), the length before invoking the block can't be trusted. Fix possible out-of-bounds read in Array#combination and Array#repeated_combination. It may better to make a defensive copy of the Array, but for now let's follow what Array#permutation does. [ruby-core:78738] [Bug #13052] Modified files: trunk/array.c trunk/test/ruby/test_array.rb Index: test/ruby/test_array.rb =================================================================== --- test/ruby/test_array.rb (revision 57118) +++ test/ruby/test_array.rb (revision 57119) @@ -2483,11 +2483,18 @@ class TestArray < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_array.rb#L2483 def test_combination_clear bug9939 = '[ruby-core:63149] [Bug #9939]' - assert_ruby_status([], <<-'end;', bug9939) - 100_000.times {Array.new(1000)} + assert_nothing_raised(bug9939) { a = [*0..100] a.combination(3) {|*,x| a.clear} - end; + } + + bug13052 = '[ruby-core:78738] [Bug #13052] Array#combination segfaults if the Array is modified during iteration' + assert_nothing_raised(bug13052) { + a = [*0..100] + a.combination(1) { a.clear } + a = [*0..100] + a.repeated_combination(1) { a.clear } + } end def test_product2 Index: array.c =================================================================== --- array.c (revision 57118) +++ array.c (revision 57119) @@ -5194,7 +5194,7 @@ rb_ary_combination(VALUE ary, VALUE num) https://github.com/ruby/ruby/blob/trunk/array.c#L5194 rb_yield(rb_ary_new2(0)); } else if (n == 1) { - for (i = 0; i < len; i++) { + for (i = 0; i < RARRAY_LEN(ary); i++) { rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i))); } } @@ -5393,7 +5393,7 @@ rb_ary_repeated_combination(VALUE ary, V https://github.com/ruby/ruby/blob/trunk/array.c#L5393 rb_yield(rb_ary_new2(0)); } else if (n == 1) { - for (i = 0; i < len; i++) { + for (i = 0; i < RARRAY_LEN(ary); i++) { rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i))); } } -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/