Crash due to invalid read in mrb_obj_alloc

[clayton-shopify]

The following input demonstrates a crash:

"1".upto("10000") {}

It appears the problem was introduced in e96f254.

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==49777==ERROR: AddressSanitizer: SEGV on unknown address 0x63003235354a (pc 0x00010c6f97a0 bp 0x7fff535778b0 sp 0x7fff53577660 T0)
    #0 0x10c6f979f in mrb_obj_alloc gc.c:518
    #1 0x10c777b1c in str_new string.c:59
    #2 0x10c77791f in mrb_str_new string.c:193
    #3 0x10c86420c in mrb_str_upto (mruby:x86_64+0x1001e720c)
    #4 0x10c7ec04e in mrb_vm_exec vm.c:1396
    #5 0x10c7e0654 in mrb_vm_run vm.c:879
    #6 0x10c8160ff in mrb_top_run vm.c:2883
    #7 0x10c8ee26d in mrb_load_exec parse.y:5823
    #8 0x10c8ef085 in mrb_load_file_cxt parse.y:5832
    #9 0x10c67f3a3 in main mruby.c:227
    #10 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==49777==Register values:
rax = 0x000063003235354a  rbx = 0x00007fff535776a0  rcx = 0x000063003235354a  rdx = 0x00001c600646a6a9
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff535778b0  rsp = 0x00007fff53577660
 r8 = 0x0000000000000010   r9 = 0x000061400000a500  r10 = 0x0000000000000004  r11 = 0x000000010c921ce4
r12 = 0x00007fff53577b80  r13 = 0x00007fff53577ba0  r14 = 0x00007fff53577b40  r15 = 0x00007fff53577b60
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gc.c:518 in mrb_obj_alloc
==49777==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).

[Asmod4n]

Got a fix, PR incoming.