diff options
author | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-12-27 11:03:50 +0000 |
---|---|---|
committer | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-12-27 11:03:50 +0000 |
commit | 33b3645611cf7bee83d8d5ac9d4373b33f7fff85 (patch) | |
tree | adc7c1aa430754baffbb854b0f0cac0d9d1bc18b /ChangeLog | |
parent | 1bd82de99775f8b0dc1d0003e98e7ab0a4658694 (diff) |
merge revision(s) 57119: [Backport #13052]
array.c: check array length every time after yielding
Since the Array may be modified during rb_yield(), the length before
invoking the block can't be trusted. Fix possible out-of-bounds read in
Array#combination and Array#repeated_combination.
It may better to make a defensive copy of the Array, but for now let's
follow what Array#permutation does. [ruby-core:78738] [Bug #13052]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@57220 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -1,3 +1,15 @@ +Tue Dec 27 20:02:43 2016 Kazuki Yamaguchi <k@rhe.jp> + + * array.c (rb_ary_{repeated_,}combination): check array length every + time after yielding. + + Since the Array may be modified during rb_yield(), the length before + invoking the block can't be trusted. Fix possible out-of-bounds read + in Array#combination and Array#repeated_combination. + + It may better to make a defensive copy of the Array, but for now let's + follow what Array#permutation does. [Bug #13052] + Tue Dec 27 19:57:51 2016 Nobuyoshi Nakada <nobu@ruby-lang.org> * sprintf.c (rb_str_format): fix memory corruption by width underflow. |