From 321c94af8e43fa199c74673b37b8205b6508ee8d Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 19 Oct 2009 01:59:38 +0000
Subject: * iseq.c (prepare_iseq_build, rb_iseq_build_for_ruby2cext):   untrust
 mark array.  [ruby-core:26137]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@25398 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog                | 5 +++++
 iseq.c                   | 4 +++-
 test/ruby/test_regexp.rb | 4 ++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 7915444fe0..6629d21f67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Mon Oct 19 10:59:36 2009  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* iseq.c (prepare_iseq_build, rb_iseq_build_for_ruby2cext):
+	  untrust mark array.  [ruby-core:26137]
+
 Mon Oct 19 05:49:53 2009  Marc-Andre Lafortune  <ruby-core@marc-andre.ca>
 
 	* lib/rexml/element.rb (text=): false should be converted to string.
diff --git a/iseq.c b/iseq.c
index 1c4cb882be..1f00132c74 100644
--- a/iseq.c
+++ b/iseq.c
@@ -220,7 +220,8 @@ prepare_iseq_build(rb_iseq_t *iseq,
     iseq->filename = filename;
     iseq->line_no = line_no;
     iseq->defined_method_id = 0;
-    iseq->mark_ary = rb_ary_new();
+    iseq->mark_ary = rb_ary_tmp_new(3);
+    OBJ_UNTRUST(iseq->mark_ary);
     RBASIC(iseq->mark_ary)->klass = 0;
 
     iseq->type = type;
@@ -1439,6 +1440,7 @@ rb_iseq_build_for_ruby2cext(
     iseq->filename = rb_str_new2(filename);
     iseq->line_no = line_no;
     iseq->mark_ary = rb_ary_tmp_new(3);
+    OBJ_UNTRUST(iseq->mark_ary);
     iseq->self = iseqval;
 
     iseq->iseq = ALLOC_N(VALUE, iseq->iseq_size);
diff --git a/test/ruby/test_regexp.rb b/test/ruby/test_regexp.rb
index 541804ade5..4f8a1a6c77 100644
--- a/test/ruby/test_regexp.rb
+++ b/test/ruby/test_regexp.rb
@@ -472,6 +472,10 @@ class TestRegexp < Test::Unit::TestCase
       /foo/.match("foo")
     end.value
     assert(m.tainted?)
+    assert_nothing_raised('[ruby-core:26137]') {
+      m = proc {$SAFE = 4; /#{}/o}.call
+    }
+    assert(m.tainted?)
   end
 
   def check(re, ss, fs = [])
-- 
cgit v1.2.3