The key or value object could be reclaimed by GC; fix #4164

The GC may occur between `sg_shift` and `mrb_assoc_new`, in which case `key` and `value` could be freed even tough they are still alive. The issue is found and fixed by https://hackerone.com/hexodus
author: Yukihiro "Matz" Matsumoto <[email protected]> 2018-11-16 01:04:57 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2018-11-16 01:04:57 +0900
commit: 180b73fec437e21e2e862fc47bff9ad07f581d2c (patch)
tree: a727dfb566e82d9784ffb268b3f1f3081cb410fa /src/hash.c
parent: 0a022f7b8d3e6abc0320001430de9e7d63ba9212 (diff)
download: mruby-180b73fec437e21e2e862fc47bff9ad07f581d2c.tar.gz
mruby-180b73fec437e21e2e862fc47bff9ad07f581d2c.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/hash.c b/src/hash.c
index 03a95dbd8..376c054cb 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -1057,6 +1057,8 @@ mrb_hash_shift(mrb_state *mrb, mrb_value hash)
     mrb_value del_key, del_val;
 
     sg_shift(mrb, sg, &del_key, &del_val);
+    mrb_gc_protect(mrb, del_key);
+    mrb_gc_protect(mrb, del_val);
     return mrb_assoc_new(mrb, del_key, del_val);
   }
author	Yukihiro "Matz" Matsumoto <[email protected]>	2018-11-16 01:04:57 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2018-11-16 01:04:57 +0900
commit	180b73fec437e21e2e862fc47bff9ad07f581d2c (patch)
tree	a727dfb566e82d9784ffb268b3f1f3081cb410fa /src/hash.c
parent	0a022f7b8d3e6abc0320001430de9e7d63ba9212 (diff)
download	mruby-180b73fec437e21e2e862fc47bff9ad07f581d2c.tar.gz mruby-180b73fec437e21e2e862fc47bff9ad07f581d2c.zip