Fix segfault on method call with exactly 127 arguments

Reported by https://hackerone.com/dkasak

2 files changed, 22 insertions, 3 deletions

diff --git a/mrbgems/mruby-compiler/core/codegen.c b/mrbgems/mruby-compiler/core/codegen.c
index 0c84dd558..a36984dea 100644
--- a/mrbgems/mruby-compiler/core/codegen.c
+++ b/mrbgems/mruby-compiler/core/codegen.c
@@ -772,6 +772,8 @@ attrsym(codegen_scope *s, mrb_sym a)
   return mrb_intern(s->mrb, name2, len+1);
 }
 
+#define CALL_MAXARGS 127
+
 static int
 gen_values(codegen_scope *s, node *t, int val)
 {
@@ -780,7 +782,9 @@ gen_values(codegen_scope *s, node *t, int val)
 
   while (t) {
     is_splat = (intptr_t)t->car->car == NODE_SPLAT; /* splat mode */
-    if (n >= 127 || is_splat) {
+    if (
+      n >= CALL_MAXARGS - 1 /* need to subtract one because vm.c expects an array if n == CALL_MAXARGS */
+      || is_splat) {
       if (val) {
         if (is_splat && n == 0 && (intptr_t)t->car->cdr->car == NODE_ARRAY) {
           codegen(s, t->car->cdr, VAL);
@@ -831,8 +835,6 @@ gen_values(codegen_scope *s, node *t, int val)
   return n;
 }
 
-#define CALL_MAXARGS 127
-
 static void
 gen_call(codegen_scope *s, node *tree, mrb_sym name, int sp, int val, int safe)
 {
diff --git a/test/t/codegen.rb b/test/t/codegen.rb
new file mode 100644
index 000000000..0690cef06
--- /dev/null
+++ b/test/t/codegen.rb
@@ -0,0 +1,17 @@
+##
+# Codegen tests
+
+assert('method call with exactly 127 arguments') do
+  def args_to_ary(*args)
+    args
+  end
+
+  assert_equal [0]*127, args_to_ary(
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, \
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, \
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, \
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, \
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, \
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
+  )
+end