From 78b1ca9f0f9f3f2ecc65342158af5e71b6fb8139 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 6 Feb 2014 01:31:27 +0000
Subject: array.c: comment why rb_ary_modify is needed twice

* array.c (rb_ary_initialize): NUM2LONG() may call size.to_int,
  ary can be frozen, modified, etc, so recheck after argument
  conversion is necessary.  [Closes GH-526]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@44855 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 array.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/array.c b/array.c
index 088a9a5f1a..5cf995c303 100644
--- a/array.c
+++ b/array.c
@@ -735,12 +735,14 @@ rb_ary_initialize(int argc, VALUE *argv, VALUE ary)
     }
 
     len = NUM2LONG(size);
+    /* NUM2LONG() may call size.to_int, ary can be frozen, modified, etc */
     if (len < 0) {
 	rb_raise(rb_eArgError, "negative array size");
     }
     if (len > ARY_MAX_SIZE) {
 	rb_raise(rb_eArgError, "array size too big");
     }
+    /* recheck after argument conversion */
     rb_ary_modify(ary);
     ary_resize_capa(ary, len);
     if (rb_block_given_p()) {
-- 
cgit v1.2.3