Motohiro KOSAKI <kosaki.motohiro / gmail.com> wrote:
> File old_thread_select.patch added
> 
> > static void
> > rb_fd_rcopy(fd_set *dst, rb_fdset_t *src)
> > {
> >     size_t size = howmany(rb_fd_max(src), NFDBITS) * sizeof(fd_mask);
> >     if (size < sizeof(fd_set)) size = sizeof(fd_set);
> >     memcpy(dst, rb_fd_ptr(src), size);
> > }
> 
> If size > sizeof(fd_set), this code makes memory corruption.

I just thought of this again and think rb_bug() is better than
rb_raise() here.  While unlikely to hit either case, rb_raise()
will leak memory since the rb_fd_term() call gets skipped.