Permalink
Browse files

Fixed too much value_copy() when block is not given; fix #3440

The issue was reported by https://hackerone.com/titanous
  • Loading branch information...
matz committed Feb 13, 2017
1 parent b238747 commit f198530444f4b5ebfd011c3287114951c8553e5e
Showing with 12 additions and 4 deletions.
  1. +12 −4 src/vm.c
View
@@ -1151,12 +1151,14 @@ mrb_vm_exec(mrb_state *mrb, struct RProc *proc, mrb_code *pc)
}
if (GET_OPCODE(i) != OP_SENDB) {
SET_NIL_VALUE(regs[bidx]);
bidx = 0;
}
else {
mrb_value blk = regs[bidx];
if (!mrb_nil_p(blk) && mrb_type(blk) != MRB_TT_PROC) {
regs[bidx] = mrb_convert_type(mrb, blk, MRB_TT_PROC, "Proc", "to_proc");
}
bidx = 1;
}
c = mrb_class(mrb, recv);
m = mrb_method_search_vm(mrb, &c, mid);
@@ -1177,15 +1179,17 @@ mrb_vm_exec(mrb_state *mrb, struct RProc *proc, mrb_code *pc)
mrb_method_missing(mrb, mid, recv, args);
}
mid = missing;
if (n == CALL_MAXARGS-1) {
regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
n++;
}
if (n == CALL_MAXARGS) {
mrb_ary_unshift(mrb, regs[a+1], sym);
}
else {
value_move(regs+a+2, regs+a+1, ++n);
value_move(regs+a+2, regs+a+1, n+bidx);
regs[a+1] = sym;
if (n == CALL_MAXARGS) {
regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
}
n++;
}
}
@@ -1355,6 +1359,10 @@ mrb_vm_exec(mrb_state *mrb, struct RProc *proc, mrb_code *pc)
mrb_method_missing(mrb, mid, recv, args);
}
mid = missing;
if (n == CALL_MAXARGS-1) {
regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
n++;
}
if (n == CALL_MAXARGS) {
mrb_ary_unshift(mrb, regs[a+1], mrb_symbol_value(ci->mid));
}

0 comments on commit f198530

Please sign in to comment.