From a137ef12f981b517f1e6b64e39edc7ac15d7e1eb Mon Sep 17 00:00:00 2001
From: dearblue <dearblue@users.osdn.me>
Date: Thu, 30 Dec 2021 22:34:22 +0900
Subject: Get object properties after `mrb_get_args()`

ref. #5613

I checked with Valgrind, and the methods that can cause use-after-free are `Array#rotate`, `Array#rotate!`, and `String#byteslice`.
Since `String#rindex` uses `RSTRING_LEN()` indirectly inside the function, no reference to the out-of-bounds range is generated.
---
 src/string.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'src/string.c')

diff --git a/src/string.c b/src/string.c
index 6c9dd2996..d0e4d38be 100644
--- a/src/string.c
+++ b/src/string.c
@@ -2047,9 +2047,11 @@ static mrb_value
 mrb_str_rindex(mrb_state *mrb, mrb_value str)
 {
   mrb_value sub;
-  mrb_int pos, len = RSTRING_CHAR_LEN(str);
+  mrb_int pos;
+  int argc = mrb_get_args(mrb, "S|i", &sub, &pos);
+  mrb_int len = RSTRING_CHAR_LEN(str);
 
-  if (mrb_get_args(mrb, "S|i", &sub, &pos) == 1) {
+  if (argc == 1) {
     pos = len;
   }
   else {
@@ -2828,16 +2830,18 @@ static mrb_value
 mrb_str_byteslice(mrb_state *mrb, mrb_value str)
 {
   mrb_value a1;
-  mrb_int str_len = RSTRING_LEN(str), beg, len;
+  mrb_int str_len, beg, len;
   mrb_bool empty = TRUE;
 
   len = mrb_get_argc(mrb);
   switch (len) {
   case 2:
     mrb_get_args(mrb, "ii", &beg, &len);
+    str_len = RSTRING_LEN(str);
     break;
   case 1:
     a1 = mrb_get_arg1(mrb);
+    str_len = RSTRING_LEN(str);
     if (mrb_range_p(a1)) {
       if (mrb_range_beg_len(mrb, a1, &beg, &len, str_len, TRUE) != MRB_RANGE_OK) {
         return mrb_nil_value();
-- 
cgit v1.2.3