From 2837de95fe41cc7dd378f9eeea5d0bd217c80323 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Wed, 31 May 2017 23:03:39 +0900
Subject: Prevent splicing big recursive arrrays; ref #3679

We know this is not perfect, but this change makes hack like #3679
bit harder. Harmless for useful cases.
---
 src/array.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/array.c')

diff --git a/src/array.c b/src/array.c
index 3ab74f95d..1f1127382 100644
--- a/src/array.c
+++ b/src/array.c
@@ -620,7 +620,12 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
     argc = RARRAY_LEN(rpl);
     argv = RARRAY_PTR(rpl);
     if (argv == a->ptr) {
-      struct RArray *r = ary_dup(mrb, a);
+      struct RArray *r;
+
+      if (argc > 32767) {
+        mrb_raise(mrb, E_ARGUMENT_ERROR, "too big recursive splice");
+      }
+      r = ary_dup(mrb, a);
       argv = r->ptr;
     }
   }
-- 
cgit v1.2.3