Fix length calculation for Array#slice!

Commit 4f24255 introduced a bug which allows a length to be passed to rb_ary_new4 which is too large, resulting in invalid memory access. For example: (1..1000).to_a.slice!(-2, 1000)
author: Mike Dalessio <mike.dalessio@gmail.com> 2021-08-28 10:29:17 -0400
committer: Nobuyoshi Nakada <nobu@ruby-lang.org> 2021-08-29 09:41:22 +0900
commit: d43279edacd09edf3a43e02d62f5be475e7c3bcb (patch)
tree: f91f3e1e6ed828604ef84fb6ff62b12b75eaca6c /array.c
parent: 7e36b91526fdcd83f8a54f4f1f574c89ed0bedee (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/array.c b/array.c
index bd323cd6b0..edac2169f9 100644
--- a/array.c
+++ b/array.c
@@ -4096,7 +4096,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len)
     else if (orig_len < pos) {
         return Qnil;
     }
-    else if (orig_len < pos + len) {
+    if (orig_len < pos + len) {
         len = orig_len - pos;
     }
     if (len == 0) {
author	Mike Dalessio <mike.dalessio@gmail.com>	2021-08-28 10:29:17 -0400
committer	Nobuyoshi Nakada <nobu@ruby-lang.org>	2021-08-29 09:41:22 +0900
commit	d43279edacd09edf3a43e02d62f5be475e7c3bcb (patch)
tree	f91f3e1e6ed828604ef84fb6ff62b12b75eaca6c /array.c
parent	7e36b91526fdcd83f8a54f4f1f574c89ed0bedee (diff)