merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105]

	Fixed heap-use-after-free

	* string.c (rb_str_sub_bang): retrieves a pointer to the
	  replacement string buffer just before using it, for the case of
	  replacement with the receiver string itself.  [Bug #16105]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67747 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 2 insertions, 1 deletions

diff --git a/string.c b/string.c
index 0caea99096..07268f0bb5 100644
--- a/string.c
+++ b/string.c
@@ -5078,7 +5078,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str)
                 cr = cr2;
 	}
 	plen = end0 - beg0;
-	rp = RSTRING_PTR(repl); rlen = RSTRING_LEN(repl);
+        rlen = RSTRING_LEN(repl);
 	len = RSTRING_LEN(str);
 	if (rlen > plen) {
 	    RESIZE_CAPA(str, len + rlen - plen);
@@ -5087,6 +5087,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str)
 	if (rlen != plen) {
 	    memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen);
 	}
+	rp = RSTRING_PTR(repl);
 	memmove(p + beg0, rp, rlen);
 	len += rlen - plen;
 	STR_SET_LEN(str, len);