From ed56d56dabe79bdec59a177e296cea3c77766438 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Wed, 17 Dec 2014 11:14:14 +0900
Subject: avoid out-of-bounds access of irep->lv; ref #2671, fix #2675

allocation size of irep->iv is irep->nlocals-1.
---
 mrbgems/mruby-eval/src/eval.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/mrbgems/mruby-eval/src/eval.c b/mrbgems/mruby-eval/src/eval.c
index 57c214c5f..3165c3898 100644
--- a/mrbgems/mruby-eval/src/eval.c
+++ b/mrbgems/mruby-eval/src/eval.c
@@ -55,18 +55,18 @@ search_variable(mrb_state *mrb, mrb_sym vsym, int bnest)
   return 0;
 }
 
-static int
+static mrb_bool
 potential_upvar_p(struct mrb_locals *lv, uint16_t v, uint16_t nlocals)
 {
   int i;
 
+  if (v >= nlocals) return FALSE;
   /* skip arguments  */
-  for (i=0; i<nlocals; i++) {
+  for (i=0; i<nlocals-1; i++) {
     if (lv[i].name == 0)
-      break;
+      return i < v;
   }
-  if (i == nlocals) return v < nlocals;
-  return i < v && v < nlocals;
+  return TRUE;
 }
 
 static void
@@ -126,8 +126,6 @@ patch_irep(mrb_state *mrb, mrb_irep *irep, int bnest)
   }
 }
 
-void mrb_codedump_all(mrb_state *mrb, struct RProc *proc);
-
 static struct RProc*
 create_proc_from_string(mrb_state *mrb, char *s, int len, mrb_value binding, char *file, mrb_int line)
 {
-- 
cgit v1.2.3