diff options
| author | Yukihiro "Matz" Matsumoto <[email protected]> | 2018-11-16 01:04:57 +0900 |
|---|---|---|
| committer | Yukihiro "Matz" Matsumoto <[email protected]> | 2018-11-16 01:04:57 +0900 |
| commit | 180b73fec437e21e2e862fc47bff9ad07f581d2c (patch) | |
| tree | a727dfb566e82d9784ffb268b3f1f3081cb410fa /src | |
| parent | 0a022f7b8d3e6abc0320001430de9e7d63ba9212 (diff) | |
| download | mruby-180b73fec437e21e2e862fc47bff9ad07f581d2c.tar.gz mruby-180b73fec437e21e2e862fc47bff9ad07f581d2c.zip | |
The key or value object could be reclaimed by GC; fix #4164
The GC may occur between `sg_shift` and `mrb_assoc_new`, in which
case `key` and `value` could be freed even tough they are still alive.
The issue is found and fixed by https://hackerone.com/hexodus
Diffstat (limited to 'src')
| -rw-r--r-- | src/hash.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/hash.c b/src/hash.c index 03a95dbd8..376c054cb 100644 --- a/src/hash.c +++ b/src/hash.c @@ -1057,6 +1057,8 @@ mrb_hash_shift(mrb_state *mrb, mrb_value hash) mrb_value del_key, del_val; sg_shift(mrb, sg, &del_key, &del_val); + mrb_gc_protect(mrb, del_key); + mrb_gc_protect(mrb, del_val); return mrb_assoc_new(mrb, del_key, del_val); } |