mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
Fix length calculation for Array#slice!
Commit 4f24255
introduced a bug which allows a length to be passed to
rb_ary_new4 which is too large, resulting in invalid memory access.
For example:
(1..1000).to_a.slice!(-2, 1000)
This commit is contained in:
parent
7e36b91526
commit
d43279edac
Notes:
git
2021-08-29 09:41:56 +09:00
1 changed files with 1 additions and 1 deletions
2
array.c
2
array.c
|
@ -4096,7 +4096,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len)
|
|||
else if (orig_len < pos) {
|
||||
return Qnil;
|
||||
}
|
||||
else if (orig_len < pos + len) {
|
||||
if (orig_len < pos + len) {
|
||||
len = orig_len - pos;
|
||||
}
|
||||
if (len == 0) {
|
||||
|
|
Loading…
Reference in a new issue