Avoid crash if hv.n is greater than kh_size(h); fix #3565

The resulting behavior is different from CRuby, but modifying
hash key afterwards is undefined behavior in ISO spec.

1 files changed, 9 insertions, 3 deletions

diff --git a/src/hash.c b/src/hash.c
index 3a7aea245..f55f85d69 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -750,20 +750,26 @@ MRB_API mrb_value
 mrb_hash_keys(mrb_state *mrb, mrb_value hash)
 {
   khash_t(ht) *h = RHASH_TBL(hash);
-  khiter_t k;
+  khiter_t k, end;
   mrb_value ary;
   mrb_value *p;
 
   if (!h || kh_size(h) == 0) return mrb_ary_new(mrb);
   ary = mrb_ary_new_capa(mrb, kh_size(h));
-  mrb_ary_set(mrb, ary, kh_size(h)-1, mrb_nil_value());
+  end = kh_size(h)-1;
+  mrb_ary_set(mrb, ary, end, mrb_nil_value());
   p = mrb_ary_ptr(ary)->ptr;
   for (k = kh_begin(h); k != kh_end(h); k++) {
     if (kh_exist(h, k)) {
       mrb_value kv = kh_key(h, k);
       mrb_hash_value hv = kh_value(h, k);
 
-      p[hv.n] = kv;
+      if (hv.n <= end) {
+        p[hv.n] = kv;
+      }
+      else {
+        p[end] = kv;
+      }
     }
   }
   return ary;