Project

General

Profile

Actions

Bug #15951

closed

Issue with Array#rindex when rb_equal call modifies receiver

Added by luke-gru (Luke Gruber) almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:93319]

Description

Hi, this causes out of bounds RARRAY_AREF call in rb_ary_rindex in trunk branch, and results in a segmentation fault on my system:

o = Object.new
def o.==(other)
    other.replace([]) if Array === other
    false
end
a = Array.new(10)
a.fill(o)

p a.rindex(a)

The fix is to check the array length after the call to rb_equal and break out of the loop if the next iteration will result in an out of bounds read.
I'll add a PR for this.

Thanks,

Actions

Also available in: Atom PDF

Like0
Like0Like0