Handle mutation of array being merged into set

Check length of array during every iteration, as a #hash method could truncate the array, resulting in heap-use-after-free. Fixes [Bug #21305]
author: Jeremy Evans <[email protected]> 2025-05-03 11:07:22 -0700
committer: Jeremy Evans <[email protected]> 2025-05-04 04:10:57 +0900
commit: be665cf855d7b35ce166ea1137d4f8d0cac1010b (patch)
tree: 9da637d7922023c383b3edff23f6c6852a269456 /set.c
parent: f3246ccebb0ccb8667fc6f143e69ecc2a9e3fb3c (diff)
1 files changed, 4 insertions, 8 deletions
diff --git a/set.c b/set.c
index 221b9a07e1..0f72a8ea4d 100644
--- a/set.c
+++ b/set.c
@@ -1120,14 +1120,10 @@ set_merge_enum_into(VALUE set, VALUE arg)
         set_iter(arg, set_merge_i, (st_data_t)&args);
     }
     else if (RB_TYPE_P(arg, T_ARRAY)) {
-        long len = RARRAY_LEN(arg);
-        if (RARRAY_LEN(arg) != 0) {
-            set_table *into = RSET_TABLE(set);
-            RARRAY_PTR_USE(arg, ptr, {
-                for(; len > 0; len--, ptr++) {
-                    set_table_insert_wb(into, set, *ptr, NULL);
-                }
-            });
+        long i;
+        set_table *into = RSET_TABLE(set);
+        for (i=0; i<RARRAY_LEN(arg); i++) {
+            set_table_insert_wb(into, set, RARRAY_AREF(arg, i), NULL);
         }
     }
     else {
author	Jeremy Evans <[email protected]>	2025-05-03 11:07:22 -0700
committer	Jeremy Evans <[email protected]>	2025-05-04 04:10:57 +0900
commit	be665cf855d7b35ce166ea1137d4f8d0cac1010b (patch)
tree	9da637d7922023c383b3edff23f6c6852a269456 /set.c
parent	f3246ccebb0ccb8667fc6f143e69ecc2a9e3fb3c (diff)