array.c: check array length every time after yielding

Since the Array may be modified during rb_yield(), the length before invoking the block can't be trusted. Fix possible out-of-bounds read in Array#combination and Array#repeated_combination. It may better to make a defensive copy of the Array, but for now let's follow what Array#permutation does. [ruby-core:78738] [Bug #13052] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57119 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-12-20 05:26:08 +0000
committer: rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-12-20 05:26:08 +0000
commit: 647ba111ea0b2d6de5454abe6daece75c08ad905 (patch)
tree: a233c4258ad27cda9d4fd0b7157dc43cd4220f31 /array.c
parent: c54ede0560be7e57b90b063fcddab402f4f29cd3 (diff)
download: ruby-647ba111ea0b2d6de5454abe6daece75c08ad905.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/array.c b/array.c
index 0fa3494dcd..b7ef04f397 100644
--- a/array.c
+++ b/array.c
@@ -5194,7 +5194,7 @@ rb_ary_combination(VALUE ary, VALUE num)
 	rb_yield(rb_ary_new2(0));
     }
     else if (n == 1) {
-	for (i = 0; i < len; i++) {
+	for (i = 0; i < RARRAY_LEN(ary); i++) {
 	    rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i)));
 	}
     }
@@ -5393,7 +5393,7 @@ rb_ary_repeated_combination(VALUE ary, VALUE num)
 	rb_yield(rb_ary_new2(0));
     }
     else if (n == 1) {
-	for (i = 0; i < len; i++) {
+	for (i = 0; i < RARRAY_LEN(ary); i++) {
 	    rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i)));
 	}
     }
author	rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-12-20 05:26:08 +0000
committer	rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-12-20 05:26:08 +0000
commit	647ba111ea0b2d6de5454abe6daece75c08ad905 (patch)
tree	a233c4258ad27cda9d4fd0b7157dc43cd4220f31 /array.c
parent	c54ede0560be7e57b90b063fcddab402f4f29cd3 (diff)
download	ruby-647ba111ea0b2d6de5454abe6daece75c08ad905.tar.gz