Fix stack move segfaulting in OP_ARYCAT

Reported by https://hackerone.com/haquaman Testcase (couldn't get it to work as a test): def nil.b b *nil end nil.b

Fix stack move segfaulting in OP_ARYCAT
Reported by https://hackerone.com/haquaman Testcase (couldn't get it to work as a test): def nil.b b *nil end nil.b
7d07466b · Bouke van der Bijl · 2cca9d36 · 7d07466b
Unverified Commit 7d07466b authored Nov 29, 2016 by Bouke van der Bijl
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

src/vm.c src/vm.c +2 -2

No files found.
--- a/src/vm.c
+++ b/src/vm.c
@@ -2134,8 +2134,8 @@ RETRY_TRY_BLOCK:

    CASE(OP_ARYCAT) {
      /* A B            mrb_ary_concat(R(A),R(B)) */
-      mrb_ary_concat(mrb, regs[GETARG_A(i)],
-                     mrb_ary_splat(mrb, regs[GETARG_B(i)]));
+      mrb_value splat = mrb_ary_splat(mrb, regs[GETARG_B(i)]);
+      mrb_ary_concat(mrb, regs[GETARG_A(i)], splat);
      ARENA_RESTORE(mrb, ai);
      NEXT;
    }