From d8cc41c43be65dd4b17e7a6e38f5a7fdf2b247d6 Mon Sep 17 00:00:00 2001
From: Takashi Kokubun <takashikkbn@gmail.com>
Date: Sun, 14 Jul 2019 21:48:22 +0900
Subject: Fix a wrong buffer size to avoid stack corruption

[Bug #15986]
---
 mjit_worker.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'mjit_worker.c')

diff --git a/mjit_worker.c b/mjit_worker.c
index 9f8a5f0bbd..44123e28e1 100644
--- a/mjit_worker.c
+++ b/mjit_worker.c
@@ -1049,8 +1049,8 @@ convert_unit_to_func(struct rb_mjit_unit *unit)
     if (FIXNUM_P(unit->iseq->body->location.first_lineno))
         // FIX2INT may fallback to rb_num2long(), which is a method call and dangerous in MJIT worker. So using only FIX2LONG.
         iseq_lineno = FIX2LONG(unit->iseq->body->location.first_lineno);
-    char *iseq_label = alloca(RSTRING_LEN(unit->iseq->body->location.label));
-    char *iseq_path  = alloca(RSTRING_LEN(rb_iseq_path(unit->iseq)));
+    char *iseq_label = alloca(RSTRING_LEN(unit->iseq->body->location.label) + 1);
+    char *iseq_path  = alloca(RSTRING_LEN(rb_iseq_path(unit->iseq)) + 1);
     strcpy(iseq_label, RSTRING_PTR(unit->iseq->body->location.label));
     strcpy(iseq_path,  RSTRING_PTR(rb_iseq_path(unit->iseq)));
 
-- 
cgit v1.2.3