diff options
| author | dearblue <[email protected]> | 2021-12-30 22:34:22 +0900 |
|---|---|---|
| committer | dearblue <[email protected]> | 2021-12-30 22:34:22 +0900 |
| commit | a137ef12f981b517f1e6b64e39edc7ac15d7e1eb (patch) | |
| tree | fb0e0b192aec0cd2237f3094df958138b8332224 /src/string.c | |
| parent | 41e8b210b82fc5a0bc6f0b2989b34e0391fac2ae (diff) | |
| download | mruby-a137ef12f981b517f1e6b64e39edc7ac15d7e1eb.tar.gz mruby-a137ef12f981b517f1e6b64e39edc7ac15d7e1eb.zip | |
Get object properties after `mrb_get_args()`
ref. #5613
I checked with Valgrind, and the methods that can cause use-after-free are `Array#rotate`, `Array#rotate!`, and `String#byteslice`.
Since `String#rindex` uses `RSTRING_LEN()` indirectly inside the function, no reference to the out-of-bounds range is generated.
Diffstat (limited to 'src/string.c')
| -rw-r--r-- | src/string.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/string.c b/src/string.c index 6c9dd2996..d0e4d38be 100644 --- a/src/string.c +++ b/src/string.c @@ -2047,9 +2047,11 @@ static mrb_value mrb_str_rindex(mrb_state *mrb, mrb_value str) { mrb_value sub; - mrb_int pos, len = RSTRING_CHAR_LEN(str); + mrb_int pos; + int argc = mrb_get_args(mrb, "S|i", &sub, &pos); + mrb_int len = RSTRING_CHAR_LEN(str); - if (mrb_get_args(mrb, "S|i", &sub, &pos) == 1) { + if (argc == 1) { pos = len; } else { @@ -2828,16 +2830,18 @@ static mrb_value mrb_str_byteslice(mrb_state *mrb, mrb_value str) { mrb_value a1; - mrb_int str_len = RSTRING_LEN(str), beg, len; + mrb_int str_len, beg, len; mrb_bool empty = TRUE; len = mrb_get_argc(mrb); switch (len) { case 2: mrb_get_args(mrb, "ii", &beg, &len); + str_len = RSTRING_LEN(str); break; case 1: a1 = mrb_get_arg1(mrb); + str_len = RSTRING_LEN(str); if (mrb_range_p(a1)) { if (mrb_range_beg_len(mrb, a1, &beg, &len, str_len, TRUE) != MRB_RANGE_OK) { return mrb_nil_value(); |