https://git.ruby-lang.org/ruby.git/commit/?id=ff41663403

From ff41663403d3eb76d95f465cb94e14d2faaa04d1 Mon Sep 17 00:00:00 2001
From: Kazuki Tsujimoto <kazuki@c...>
Date: Tue, 19 Nov 2019 09:35:47 -0600
Subject: Fix memory corruption in Enumerable#reverse_each [ruby-dev:50867]
 [Bug #16354]


diff --git a/enum.c b/enum.c
index 0653280..a411449 100644
--- a/enum.c
+++ b/enum.c
@@ -2419,14 +2419,20 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/enum.c#L2419
 enum_reverse_each(int argc, VALUE *argv, VALUE obj)
 {
     VALUE ary;
-    long i;
+    long len;
 
     RETURN_SIZED_ENUMERATOR(obj, argc, argv, enum_size);
 
     ary = enum_to_a(argc, argv, obj);
 
-    for (i = RARRAY_LEN(ary); --i >= 0; ) {
-	rb_yield(RARRAY_AREF(ary, i));
+    len = RARRAY_LEN(ary);
+    while (len--) {
+        long nlen;
+        rb_yield(RARRAY_AREF(ary, len));
+        nlen = RARRAY_LEN(ary);
+        if (nlen < len) {
+            len = nlen;
+        }
     }
 
     return obj;
diff --git a/test/ruby/test_enum.rb b/test/ruby/test_enum.rb
index 5fbb2d3..7b64723 100644
--- a/test/ruby/test_enum.rb
+++ b/test/ruby/test_enum.rb
@@ -735,6 +735,19 @@ class TestEnumerable < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_enum.rb#L735
     assert_equal([2,1,3,2,1], @obj.reverse_each.to_a)
   end
 
+  def test_reverse_each_memory_corruption
+    bug16354 = '[ruby-dev:50867]'
+    assert_normal_exit %q{
+      size = 1000
+      (0...size).reverse_each do |i|
+        i.inspect
+        ObjectSpace.each_object(Array) do |a|
+          a.clear if a.length == size
+        end
+      end
+    }, bug16354
+  end
+
   def test_chunk
     e = [].chunk {|elt| true }
     assert_equal([], e.to_a)
-- 
cgit v0.10.2


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/