From 006661394d792e179575e79ae159d604c612950b Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Sat, 5 Aug 2017 01:18:52 +0900
Subject: Fixed heap buffer overflow in `mrb_ary_unshift_m`; fix #3760

---
 src/array.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/array.c')

diff --git a/src/array.c b/src/array.c
index 9124ff950..2ef29dcf5 100644
--- a/src/array.c
+++ b/src/array.c
@@ -584,8 +584,8 @@ mrb_ary_unshift_m(mrb_state *mrb, mrb_value self)
   }
   array_copy(ptr, vals, alen);
   ARY_SET_LEN(a, len+alen);
-  while (len--) {
-    mrb_field_write_barrier_value(mrb, (struct RBasic*)a, vals[len]);
+  while (alen--) {
+    mrb_field_write_barrier_value(mrb, (struct RBasic*)a, vals[alen]);
   }
 
   return self;
-- 
cgit v1.2.3