The key or value object could be reclaimed by GC; fix #4164

The GC may occur between `sg_shift` and `mrb_assoc_new`, in which case `key` and `value` could be freed even tough they are still alive. The issue is found and fixed by https://hackerone.com/hexodus

The key or value object could be reclaimed by GC; fix #4164
The GC may occur between `sg_shift` and `mrb_assoc_new`, in which case `key` and `value` could be freed even tough they are still alive. The issue is found and fixed by https://hackerone.com/hexodus
180b73fe · Yukihiro "Matz" Matsumoto · 0a022f7b · 180b73fe
Commit 180b73fe authored Nov 16, 2018 by Yukihiro "Matz" Matsumoto
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

src/hash.c src/hash.c +2 -0

No files found.
--- a/src/hash.c
+++ b/src/hash.c
@@ -1057,6 +1057,8 @@ mrb_hash_shift(mrb_state *mrb, mrb_value hash)
    mrb_value del_key, del_val;

    sg_shift(mrb, sg, &del_key, &del_val);
+    mrb_gc_protect(mrb, del_key);
+    mrb_gc_protect(mrb, del_val);
    return mrb_assoc_new(mrb, del_key, del_val);
  }