merge revision(s) 57119: [Backport #13052]

array.c: check array length every time after yielding Since the Array may be modified during rb_yield(), the length before invoking the block can't be trusted. Fix possible out-of-bounds read in Array#combination and Array#repeated_combination. It may better to make a defensive copy of the Array, but for now let's follow what Array#permutation does. [ruby-core:78738] [Bug #13052] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@57350 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-01-16 19:46:03 +0000
committer: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-01-16 19:46:03 +0000
commit: aa983c4ccb9db02b47d4f4a470a12111644518f4 (patch)
tree: 4e73e168811a74d1e5cf0c9fe34b2c664a4aff32 /array.c
parent: f6e44a2a5a8d51b7991822118e3c7dc5d2e06146 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/array.c b/array.c
index 729de9c081..9649473f35 100644
--- a/array.c
+++ b/array.c
@@ -5063,7 +5063,7 @@ rb_ary_combination(VALUE ary, VALUE num)
 	rb_yield(rb_ary_new2(0));
     }
     else if (n == 1) {
-	for (i = 0; i < len; i++) {
+	for (i = 0; i < RARRAY_LEN(ary); i++) {
 	    rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i)));
 	}
     }
@@ -5262,7 +5262,7 @@ rb_ary_repeated_combination(VALUE ary, VALUE num)
 	rb_yield(rb_ary_new2(0));
     }
     else if (n == 1) {
-	for (i = 0; i < len; i++) {
+	for (i = 0; i < RARRAY_LEN(ary); i++) {
 	    rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i)));
 	}
     }
author	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-01-16 19:46:03 +0000
committer	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-01-16 19:46:03 +0000
commit	aa983c4ccb9db02b47d4f4a470a12111644518f4 (patch)
tree	4e73e168811a74d1e5cf0c9fe34b2c664a4aff32 /array.c
parent	f6e44a2a5a8d51b7991822118e3c7dc5d2e06146 (diff)