From db1bd078bedcc33bfd3ca4c45f46bc553786bfd8 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Wed, 11 Jan 2017 17:59:56 +0900
Subject: Use temporary variable to avoid potential crash; fix #3387

This issue was original reported by https://hackerone.com/icanthack
https://hackerone.com/titanous suggested the solution.
`regs` may be reallocated in the function call.
---
 src/vm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/vm.c b/src/vm.c
index 7b38659a7..4352b8463 100644
--- a/src/vm.c
+++ b/src/vm.c
@@ -2411,7 +2411,8 @@ RETRY_TRY_BLOCK:
     CASE(OP_RANGE) {
       /* A B C  R(A) := range_new(R(B),R(B+1),C) */
       int b = GETARG_B(i);
-      regs[GETARG_A(i)] = mrb_range_new(mrb, regs[b], regs[b+1], GETARG_C(i));
+      mrb_value val = mrb_range_new(mrb, regs[b], regs[b+1], GETARG_C(i));
+      regs[GETARG_A(i)] = val;
       ARENA_RESTORE(mrb, ai);
       NEXT;
     }
-- 
cgit v1.2.3