ruby-changes:67276
From: Mike <ko1@a...>
Date: Sun, 29 Aug 2021 09:41:47 +0900 (JST)
Subject: [ruby-changes:67276] d43279edac (master): Fix length calculation for Array#slice!
https://git.ruby-lang.org/ruby.git/commit/?id=d43279edac From d43279edacd09edf3a43e02d62f5be475e7c3bcb Mon Sep 17 00:00:00 2001 From: Mike Dalessio <mike.dalessio@g...> Date: Sat, 28 Aug 2021 10:29:17 -0400 Subject: Fix length calculation for Array#slice! Commit 4f24255 introduced a bug which allows a length to be passed to rb_ary_new4 which is too large, resulting in invalid memory access. For example: (1..1000).to_a.slice!(-2, 1000) --- array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/array.c b/array.c index bd323cd..edac216 100644 --- a/array.c +++ b/array.c @@ -4096,7 +4096,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len) https://github.com/ruby/ruby/blob/trunk/array.c#L4096 else if (orig_len < pos) { return Qnil; } - else if (orig_len < pos + len) { + if (orig_len < pos + len) { len = orig_len - pos; } if (len == 0) { -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/