From 180b73fec437e21e2e862fc47bff9ad07f581d2c Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Fri, 16 Nov 2018 01:04:57 +0900 Subject: The key or value object could be reclaimed by GC; fix #4164 The GC may occur between `sg_shift` and `mrb_assoc_new`, in which case `key` and `value` could be freed even tough they are still alive. The issue is found and fixed by https://hackerone.com/hexodus --- src/hash.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/hash.c b/src/hash.c index 03a95dbd8..376c054cb 100644 --- a/src/hash.c +++ b/src/hash.c @@ -1057,6 +1057,8 @@ mrb_hash_shift(mrb_state *mrb, mrb_value hash) mrb_value del_key, del_val; sg_shift(mrb, sg, &del_key, &del_val); + mrb_gc_protect(mrb, del_key); + mrb_gc_protect(mrb, del_val); return mrb_assoc_new(mrb, del_key, del_val); } -- cgit v1.2.3