From a137ef12f981b517f1e6b64e39edc7ac15d7e1eb Mon Sep 17 00:00:00 2001 From: dearblue Date: Thu, 30 Dec 2021 22:34:22 +0900 Subject: Get object properties after `mrb_get_args()` ref. #5613 I checked with Valgrind, and the methods that can cause use-after-free are `Array#rotate`, `Array#rotate!`, and `String#byteslice`. Since `String#rindex` uses `RSTRING_LEN()` indirectly inside the function, no reference to the out-of-bounds range is generated. --- mrbgems/mruby-array-ext/src/array.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'mrbgems/mruby-array-ext/src/array.c') diff --git a/mrbgems/mruby-array-ext/src/array.c b/mrbgems/mruby-array-ext/src/array.c index d97778642..ae8a55d4d 100644 --- a/mrbgems/mruby-array-ext/src/array.c +++ b/mrbgems/mruby-array-ext/src/array.c @@ -264,12 +264,14 @@ mrb_ary_compact_bang(mrb_state *mrb, mrb_value self) static mrb_value mrb_ary_rotate(mrb_state *mrb, mrb_value self) { + mrb_int count=1; + mrb_get_args(mrb, "|i", &count); + mrb_value ary = mrb_ary_new(mrb); mrb_int len = RARRAY_LEN(self); mrb_value *p = RARRAY_PTR(self); - mrb_int count=1, idx; + mrb_int idx; - mrb_get_args(mrb, "|i", &count); if (len <= 0) return ary; if (count < 0) { idx = len - (~count % len) - 1; @@ -313,12 +315,14 @@ rev(mrb_value *p, mrb_int beg, mrb_int end) static mrb_value mrb_ary_rotate_bang(mrb_state *mrb, mrb_value self) { + mrb_int count=1; + mrb_get_args(mrb, "|i", &count); + struct RArray *a = mrb_ary_ptr(self); mrb_int len = ARY_LEN(a); mrb_value *p = ARY_PTR(a); - mrb_int count=1, idx; + mrb_int idx; - mrb_get_args(mrb, "|i", &count); mrb_ary_modify(mrb, a); if (len == 0 || count == 0) return self; if (count == 1) { -- cgit v1.2.3