diff options
author | nagachika <nagachika@ruby-lang.org> | 2021-08-29 19:09:35 +0900 |
---|---|---|
committer | nagachika <nagachika@ruby-lang.org> | 2021-08-29 19:09:35 +0900 |
commit | 8899fa0b3d41fd27dd1a2c6f75106cb78ff27236 (patch) | |
tree | 83ffd5adaa71a0d02735deb6f45d4cee8d481eb0 /array.c | |
parent | 600d0f78395c6a67d6bc8974be9964701976e745 (diff) |
merge revision(s) d43279edacd09edf3a43e02d62f5be475e7c3bcb,5dc36ddcd00fc556c04c15ce9770c5a84d7d43dc,523bf31564f160f899f8cf9f73540d6a6f687f17: [Backport #18138]
Fix length calculation for Array#slice!
Commit 4f24255 introduced a bug which allows a length to be passed to
rb_ary_new4 which is too large, resulting in invalid memory access.
For example:
(1..1000).to_a.slice!(-2, 1000)
---
array.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Add out of range tests for Array#slice!
---
test/ruby/test_array.rb | 13 +++++++++++++
1 file changed, 13 insertions(+)
Add negative position tests [Bug #18138]
---
test/ruby/test_array.rb | 4 ++++
1 file changed, 4 insertions(+)
Diffstat (limited to 'array.c')
-rw-r--r-- | array.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -4072,7 +4072,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len) else if (orig_len < pos) { return Qnil; } - else if (orig_len < pos + len) { + if (orig_len < pos + len) { len = orig_len - pos; } if (len == 0) { |