From 7d07466b437910d560fda2f78d2f7b93205eaa22 Mon Sep 17 00:00:00 2001
From: Bouke van der Bijl <boukevanderbijl@gmail.com>
Date: Tue, 29 Nov 2016 10:54:21 -0500
Subject: Fix stack move segfaulting in OP_ARYCAT

Reported by https://hackerone.com/haquaman

Testcase (couldn't get it to work as a test):

def nil.b
  b *nil
end
nil.b
---
 src/vm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/vm.c b/src/vm.c
index 41e19b0c0..f0dc338d0 100644
--- a/src/vm.c
+++ b/src/vm.c
@@ -2134,8 +2134,8 @@ RETRY_TRY_BLOCK:
 
     CASE(OP_ARYCAT) {
       /* A B            mrb_ary_concat(R(A),R(B)) */
-      mrb_ary_concat(mrb, regs[GETARG_A(i)],
-                     mrb_ary_splat(mrb, regs[GETARG_B(i)]));
+      mrb_value splat = mrb_ary_splat(mrb, regs[GETARG_B(i)]);
+      mrb_ary_concat(mrb, regs[GETARG_A(i)], splat);
       ARENA_RESTORE(mrb, ai);
       NEXT;
     }
-- 
cgit v1.2.3