st.c (rb_hash_bulk_insert_into_st_table): avoid out-of-bounds write

"hash_bulk_insert" first expands the table, but the target size was
wrong: it was calculated by "num_entries + (size to buld insert)", but
it was wrong when "num_entries < entries_bound", i.e., it has a deleted
entry.  "hash_bulk_insert" adds the given entries from entries_bound,
which led to out-of-bounds write access.  [Bug #15536]

As a simple fix, this commit changes the calculation to "entries_bound +
size".  I'm afraid if this might be inefficient, but I think it is safe
anyway.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@66832 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

bootstraptest/test_literal.rb

@@ -223,6 +223,24 @@ assert_equal 'ok', %q{ #  long hash literal (optimized)
   :ok
 }
 
+assert_equal 'ok', %q{ #  Bug #15536
+  eval <<-END
+    {
+      **{
+        a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil,
+      },
+      a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil,
+      **{
+        c: nil
+      },
+      b0: nil, b1: nil, b2: nil, b3: nil, b4: nil, b5: nil, b6: nil, b7: nil, b8: nil,
+      b9: nil, b10: nil, b11: nil, b12: nil, b13: nil, b14: nil, b15: nil, b16: nil,
+      b17: nil, b18: nil, b19: nil, b20: nil, b21: nil,
+    }
+  END
+  :ok
+}
+
 assert_equal 'ok', %q{
   [print(:ok), exit] # void literal with side-effect
   :dummy

st.c

@@ -2299,7 +2299,7 @@ rb_hash_bulk_insert_into_st_table(long argc, const VALUE *argv, VALUE hash)
     st_table *tab = RHASH_ST_TABLE(hash);
 
     tab = RHASH_TBL_RAW(hash);
-    n = tab->num_entries + size;
+    n = tab->entries_bound + size;
     st_expand_table(tab, n);
     if (UNLIKELY(tab->num_entries))
         st_insert_generic(tab, argc, argv, hash);