From 0b5862f4d9f6a1f86b09eadc54cafa106d996a7c Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 9 Apr 2026 13:22:22 -0700
Subject: Don't use fixed-size hashes for cdhash

This caused out of bounds writes because of converting to a st_table.

Co-authored-by: Luke Gruber <luke.gru@gmail.com>
Co-authored-by: Matt Valentine-House <matt@eightbitraptor.com>
---
 compile.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/compile.c b/compile.c
index e6748d38b3..ac1bdfe0f9 100644
--- a/compile.c
+++ b/compile.c
@@ -12167,7 +12167,7 @@ iseq_build_from_ary_body(rb_iseq_t *iseq, LINK_ANCHOR *const anchor,
                       case TS_CDHASH:
                         {
                             int i;
-                            VALUE map = rb_hash_alloc_fixed_size(Qfalse, RARRAY_LEN(op)/2);
+                            VALUE map = rb_hash_new_with_size(RARRAY_LEN(op)/2);
 
                             RHASH_TBL_RAW(map)->type = &cdhash_type;
                             op = rb_to_array_type(op);
@@ -12179,7 +12179,7 @@ iseq_build_from_ary_body(rb_iseq_t *iseq, LINK_ANCHOR *const anchor,
                                 rb_hash_aset(map, key, (VALUE)label | 1);
                             }
                             RB_GC_GUARD(op);
-                            RB_OBJ_SET_SHAREABLE(map); // allow mutation while compiling
+                            RB_OBJ_SET_SHAREABLE(rb_obj_hide(map)); // allow mutation while compiling
                             argv[j] = map;
                             RB_OBJ_WRITTEN(iseq, Qundef, map);
                         }
-- 
cgit v1.2.3