Project

General

Profile

Bug #15951

Issue with Array#rindex when rb_equal call modifies receiver

Added by luke-gru (Luke Gruber) 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:93319]

Description

Hi, this causes out of bounds RARRAY_AREF call in rb_ary_rindex in trunk branch, and results in a segmentation fault on my system:

o = Object.new
def o.==(other)
    other.replace([]) if Array === other
    false
end
a = Array.new(10)
a.fill(o)

p a.rindex(a)

The fix is to check the array length after the call to rb_equal and break out of the loop if the next iteration will result in an out of bounds read.
I'll add a PR for this.

Thanks,

Associated revisions

Revision c033dc30
Added by luke-gru (Luke Gruber) 6 months ago

Fix issue with Array#rindex when rb_equal modifies receiver array

Fixes [Bug #15951]

Closes: https://github.com/ruby/ruby/pull/2250

History

#2

Updated by luke-gru (Luke Gruber) 6 months ago

  • Status changed from Open to Closed

Applied in changeset git|c033dc3073839e3578f1ba25d53b837974b56474.


Fix issue with Array#rindex when rb_equal modifies receiver array

Fixes [Bug #15951]

Closes: https://github.com/ruby/ruby/pull/2250

Also available in: Atom PDF