Project

General

Profile

Actions

Bug #13052

closed

Array#combination segfaults if the Array is modified during iteration

Added by rhenium (Kazuki Yamaguchi) over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:78738]

Description

Array#combination and Array#repeated_combination segfault if the Array is modified from the invoked block.

Reproduce:

ary = *1..100
ary.combination(1) { |x| p x; ary.clear } #=> segfault
# or ary.repeated_combination(1) { |x| p x; ary.clear } #=> segfault

This is the same as [Bug #9939], but it didn't fix the case of the argument is 1.

Actions #1

Updated by Anonymous over 5 years ago

  • Status changed from Open to Closed

Applied in changeset r57119.


array.c: check array length every time after yielding

Since the Array may be modified during rb_yield(), the length before
invoking the block can't be trusted. Fix possible out-of-bounds read in
Array#combination and Array#repeated_combination.

It may better to make a defensive copy of the Array, but for now let's
follow what Array#permutation does. [ruby-core:78738] [Bug #13052]

Updated by usa (Usaku NAKAMURA) over 5 years ago

  • Backport changed from 2.1: UNKNOWN, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: UNKNOWN, 2.2: DONE, 2.3: REQUIRED

ruby_2_2 r57220 merged revision(s) 57119.

Updated by nagachika (Tomoyuki Chikanaga) over 5 years ago

  • Backport changed from 2.1: UNKNOWN, 2.2: DONE, 2.3: REQUIRED to 2.1: UNKNOWN, 2.2: DONE, 2.3: DONE

ruby_2_3 r57350 merged revision(s) 57119.

Actions

Also available in: Atom PDF