merge revision(s) d43279edacd09edf3a43e02d62f5be475e7c3bcb,5dc36ddcd00fc556c04c15ce9770c5a84d7d43dc,523bf31564f160f899f8cf9f73540d6a6f687f17: [Backport #18138]

Fix length calculation for Array#slice! Commit 4f24255 introduced a bug which allows a length to be passed to rb_ary_new4 which is too large, resulting in invalid memory access. For example: (1..1000).to_a.slice!(-2, 1000) --- array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Add out of range tests for Array#slice! --- test/ruby/test_array.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) Add negative position tests [Bug #18138] --- test/ruby/test_array.rb | 4 ++++ 1 file changed, 4 insertions(+)
author: nagachika <nagachika@ruby-lang.org> 2021-08-29 19:09:35 +0900
committer: nagachika <nagachika@ruby-lang.org> 2021-08-29 19:09:35 +0900
commit: 8899fa0b3d41fd27dd1a2c6f75106cb78ff27236 (patch)
tree: 83ffd5adaa71a0d02735deb6f45d4cee8d481eb0 /array.c
parent: 600d0f78395c6a67d6bc8974be9964701976e745 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/array.c b/array.c
index c0c8016813..7ed3b14ef5 100644
--- a/array.c
+++ b/array.c
@@ -4072,7 +4072,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len)
     else if (orig_len < pos) {
         return Qnil;
     }
-    else if (orig_len < pos + len) {
+    if (orig_len < pos + len) {
         len = orig_len - pos;
     }
     if (len == 0) {
author	nagachika <nagachika@ruby-lang.org>	2021-08-29 19:09:35 +0900
committer	nagachika <nagachika@ruby-lang.org>	2021-08-29 19:09:35 +0900
commit	8899fa0b3d41fd27dd1a2c6f75106cb78ff27236 (patch)
tree	83ffd5adaa71a0d02735deb6f45d4cee8d481eb0 /array.c
parent	600d0f78395c6a67d6bc8974be9964701976e745 (diff)