Fixed too much value_copy() when block is not given; fix #3440

The issue was reported by https://hackerone.com/titanous

1 files changed, 12 insertions, 4 deletions

diff --git a/src/vm.c b/src/vm.c
index 70583864e..f2af6f950 100644
--- a/src/vm.c
+++ b/src/vm.c
@@ -1151,12 +1151,14 @@ RETRY_TRY_BLOCK:
       }
       if (GET_OPCODE(i) != OP_SENDB) {
         SET_NIL_VALUE(regs[bidx]);
+        bidx = 0;
       }
       else {
         mrb_value blk = regs[bidx];
         if (!mrb_nil_p(blk) && mrb_type(blk) != MRB_TT_PROC) {
           regs[bidx] = mrb_convert_type(mrb, blk, MRB_TT_PROC, "Proc", "to_proc");
         }
+        bidx = 1;
       }
       c = mrb_class(mrb, recv);
       m = mrb_method_search_vm(mrb, &c, mid);
@@ -1177,15 +1179,17 @@ RETRY_TRY_BLOCK:
           mrb_method_missing(mrb, mid, recv, args);
         }
         mid = missing;
+        if (n == CALL_MAXARGS-1) {
+          regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
+          n++;
+        }
         if (n == CALL_MAXARGS) {
           mrb_ary_unshift(mrb, regs[a+1], sym);
         }
         else {
-          value_move(regs+a+2, regs+a+1, ++n);
+          value_move(regs+a+2, regs+a+1, n+bidx);
           regs[a+1] = sym;
-          if (n == CALL_MAXARGS) {
-            regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
-          }
+          n++;
         }
       }
 
@@ -1355,6 +1359,10 @@ RETRY_TRY_BLOCK:
           mrb_method_missing(mrb, mid, recv, args);
         }
         mid = missing;
+        if (n == CALL_MAXARGS-1) {
+          regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
+          n++;
+        }
         if (n == CALL_MAXARGS) {
           mrb_ary_unshift(mrb, regs[a+1], mrb_symbol_value(ci->mid));
         }