From 7927f32a19f501f7323dbd71066e7480ce104b8b Mon Sep 17 00:00:00 2001 From: matz Date: Fri, 12 Oct 2007 14:34:37 +0000 Subject: [PATCH] * array.c (rb_ary_combination): fixed memory corruption due to too small memory allocation * array.c (rb_ary_product): accessing out of memory bounds. condition fixed. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13682 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 8 ++++++++ array.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1362301355..68a2db5f32 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,14 @@ Fri Oct 12 15:04:54 2007 Nobuyoshi Nakada * trunk/parse.y (parser_yylex): ditto. +Fri Oct 12 12:44:11 2007 Yukihiro Matsumoto + + * array.c (rb_ary_combination): fixed memory corruption due to too + small memory allocation + + * array.c (rb_ary_product): accessing out of memory bounds. + condition fixed. + Thu Oct 11 21:10:17 2007 Yukihiro Matsumoto * include/ruby/node.h (NOEX_LOCAL): remove unused local visibility. diff --git a/array.c b/array.c index 6360571e40..85573015a7 100644 --- a/array.c +++ b/array.c @@ -3112,7 +3112,7 @@ rb_ary_combination(VALUE ary, VALUE num) } } else { - volatile VALUE t0 = tmpbuf(n, sizeof(long)); + volatile VALUE t0 = tmpbuf(n+1, sizeof(long)); long *stack = (long*)RSTRING_PTR(t0); long nlen = combi_len(len, n); volatile VALUE cc = rb_ary_new2(n); @@ -3199,7 +3199,7 @@ rb_ary_product(int argc, VALUE *argv, VALUE ary) */ m = n-1; counters[m]++; - while (m >= 0 && counters[m] == RARRAY_LEN(arrays[m])) { + while (m > 0 && counters[m] == RARRAY_LEN(arrays[m])) { counters[m] = 0; m--; counters[m]++;