1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

Fix length calculation for Array#slice!

Commit 4f24255 introduced a bug which allows a length to be passed to
rb_ary_new4 which is too large, resulting in invalid memory access.

For example:

    (1..1000).to_a.slice!(-2, 1000)
This commit is contained in:
Mike Dalessio 2021-08-28 10:29:17 -04:00 committed by Nobuyoshi Nakada
parent 7e36b91526
commit d43279edac
Notes: git 2021-08-29 09:41:56 +09:00

View file

@ -4096,7 +4096,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len)
else if (orig_len < pos) {
return Qnil;
}
else if (orig_len < pos + len) {
if (orig_len < pos + len) {
len = orig_len - pos;
}
if (len == 0) {