diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-01-16 19:46:03 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-01-16 19:46:03 +0000 |
commit | aa983c4ccb9db02b47d4f4a470a12111644518f4 (patch) | |
tree | 4e73e168811a74d1e5cf0c9fe34b2c664a4aff32 /array.c | |
parent | f6e44a2a5a8d51b7991822118e3c7dc5d2e06146 (diff) |
merge revision(s) 57119: [Backport #13052]
array.c: check array length every time after yielding
Since the Array may be modified during rb_yield(), the length before
invoking the block can't be trusted. Fix possible out-of-bounds read in
Array#combination and Array#repeated_combination.
It may better to make a defensive copy of the Array, but for now let's
follow what Array#permutation does. [ruby-core:78738] [Bug #13052]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@57350 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'array.c')
-rw-r--r-- | array.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -5063,7 +5063,7 @@ rb_ary_combination(VALUE ary, VALUE num) rb_yield(rb_ary_new2(0)); } else if (n == 1) { - for (i = 0; i < len; i++) { + for (i = 0; i < RARRAY_LEN(ary); i++) { rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i))); } } @@ -5262,7 +5262,7 @@ rb_ary_repeated_combination(VALUE ary, VALUE num) rb_yield(rb_ary_new2(0)); } else if (n == 1) { - for (i = 0; i < len; i++) { + for (i = 0; i < RARRAY_LEN(ary); i++) { rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i))); } } |