ruby-changes:59801

https://git.ruby-lang.org/ruby.git/commit/?id=0c436bbfbf

From 0c436bbfbf3b28fab8abfcbda9b8f388fa22290a Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@r...>
Date: Mon, 20 Jan 2020 00:41:56 +0900
Subject: Recheck array length after `to_str` conversion

https://hackerone.com/reports/244787

diff --git a/array.c b/array.c
index 0af7371..7925b26 100644
--- a/array.c
+++ b/array.c
@@ -2374,7 +2374,9 @@ rb_ary_join(VALUE ary, VALUE sep) https://github.com/ruby/ruby/blob/trunk/array.c#L2374
 
 	if (NIL_P(tmp) || tmp != val) {
 	    int first;
-	    result = rb_str_buf_new(len + (RARRAY_LEN(ary)-i)*10);
+            long n = RARRAY_LEN(ary);
+            if (i > n) i = n;
+            result = rb_str_buf_new(len + (n-i)*10);
 	    rb_enc_associate(result, rb_usascii_encoding());
             i = ary_join_0(ary, sep, i, result);
 	    first = i == 0;
diff --git a/test/ruby/test_array.rb b/test/ruby/test_array.rb
index c3b842e..fcfda92 100644
--- a/test/ruby/test_array.rb
+++ b/test/ruby/test_array.rb
@@ -2457,6 +2457,17 @@ class TestArray < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_array.rb#L2457
     assert_equal("ab012z", x.ary.join(""))
   end
 
+  def test_join_recheck_array_length
+    x = Struct.new(:ary).new
+    def x.to_str
+      ary.clear
+      ary[0] = "b"
+      "z"
+    end
+    x.ary = Array.new(1023) {"a"*1} << x
+    assert_equal("b", x.ary.join(""))
+  end
+
   def test_to_a2
     klass = Class.new(Array)
     a = klass.new.to_a
-- 
cgit v0.10.2


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/