From 39ca4ef3bcdfec6047647e697f94cb84f2251175 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Fri, 31 Mar 2017 13:02:01 +0900 Subject: Avoid crash if hv.n is greater than kh_size(h); fix #3565 The resulting behavior is different from CRuby, but modifying hash key afterwards is undefined behavior in ISO spec. --- src/hash.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'src/hash.c') diff --git a/src/hash.c b/src/hash.c index 3a7aea245..f55f85d69 100644 --- a/src/hash.c +++ b/src/hash.c @@ -750,20 +750,26 @@ MRB_API mrb_value mrb_hash_keys(mrb_state *mrb, mrb_value hash) { khash_t(ht) *h = RHASH_TBL(hash); - khiter_t k; + khiter_t k, end; mrb_value ary; mrb_value *p; if (!h || kh_size(h) == 0) return mrb_ary_new(mrb); ary = mrb_ary_new_capa(mrb, kh_size(h)); - mrb_ary_set(mrb, ary, kh_size(h)-1, mrb_nil_value()); + end = kh_size(h)-1; + mrb_ary_set(mrb, ary, end, mrb_nil_value()); p = mrb_ary_ptr(ary)->ptr; for (k = kh_begin(h); k != kh_end(h); k++) { if (kh_exist(h, k)) { mrb_value kv = kh_key(h, k); mrb_hash_value hv = kh_value(h, k); - p[hv.n] = kv; + if (hv.n <= end) { + p[hv.n] = kv; + } + else { + p[end] = kv; + } } } return ary; -- cgit v1.2.3