From: luke.gru@...
Date: 2019-06-22T15:30:14+00:00
Subject: [ruby-core:93320] [Ruby trunk Bug#15951] Issue with Array#rindex when rb_equal call modifies receiver

Issue #15951 has been updated by luke-gru (Luke Gruber).


PR here: https://github.com/ruby/ruby/pull/2250

----------------------------------------
Bug #15951: Issue with Array#rindex when rb_equal call modifies receiver
https://bugs.ruby-lang.org/issues/15951#change-78794

* Author: luke-gru (Luke Gruber)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
Hi, this causes out of bounds RARRAY_AREF call in `rb_ary_rindex` in trunk branch, and results in a segmentation fault on my system:

```ruby
o = Object.new
def o.==(other)
    other.replace([]) if Array === other
    false
end
a = Array.new(10)
a.fill(o)

p a.rindex(a)
```

The fix is to check the array length after the call to `rb_equal` and break out of the loop if the next iteration will result in an out of bounds read.
I'll add a PR for this.

Thanks,




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>