Fixed too much value_copy() when block is not given; fix #3440

The issue was reported by https://hackerone.com/titanous

Fixed too much value_copy() when block is not given; fix #3440
The issue was reported by https://hackerone.com/titanous
f1985304 · Yukihiro "Matz" Matsumoto · b2387477 · f1985304
Commit f1985304 authored Feb 13, 2017 by Yukihiro "Matz" Matsumoto
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 4 deletions

src/vm.c src/vm.c +12 -4

No files found.
--- a/src/vm.c
+++ b/src/vm.c
@@ -1151,12 +1151,14 @@ RETRY_TRY_BLOCK:
      }
      if (GET_OPCODE(i) != OP_SENDB) {
        SET_NIL_VALUE(regs[bidx]);
+        bidx = 0;
      }
      else {
        mrb_value blk = regs[bidx];
        if (!mrb_nil_p(blk) && mrb_type(blk) != MRB_TT_PROC) {
          regs[bidx] = mrb_convert_type(mrb, blk, MRB_TT_PROC, "Proc", "to_proc");
        }
+        bidx = 1;
      }
      c = mrb_class(mrb, recv);
      m = mrb_method_search_vm(mrb, &c, mid);
@@ -1177,15 +1179,17 @@ RETRY_TRY_BLOCK:
          mrb_method_missing(mrb, mid, recv, args);
        }
        mid = missing;
+        if (n == CALL_MAXARGS-1) {
+          regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
+          n++;
+        }
        if (n == CALL_MAXARGS) {
          mrb_ary_unshift(mrb, regs[a+1], sym);
        }
        else {
-          value_move(regs+a+2, regs+a+1, ++n);
+          value_move(regs+a+2, regs+a+1, n+bidx);
          regs[a+1] = sym;
-          if (n == CALL_MAXARGS) {
+          n++;
-            regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
-          }
        }
      }
@@ -1355,6 +1359,10 @@ RETRY_TRY_BLOCK:
          mrb_method_missing(mrb, mid, recv, args);
        }
        mid = missing;
+        if (n == CALL_MAXARGS-1) {
+          regs[a+1] = mrb_ary_new_from_values(mrb, n, regs+a+1);
+          n++;
+        }
        if (n == CALL_MAXARGS) {
          mrb_ary_unshift(mrb, regs[a+1], mrb_symbol_value(ci->mid));
        }