Issue #15951 has been reported by luke-gru (Luke Gruber).
----------------------------------------
Bug #15951: Issue with Array#rindex when rb_equal call modifies receiver
https://bugs.ruby-lang.org/issues/15951
* Author: luke-gru (Luke Gruber)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v:
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
Hi, this causes out of bounds RARRAY_AREF call in `rb_ary_rindex` in trunk branch, and results in a segmentation fault on my system:
```ruby
o = Object.new
def o.==(other)
other.replace([]) if Array === other
false
end
a = Array.new(10)
a.fill(o)
p a.rindex(a)
```
The fix is to check the array length after the call to `rb_equal` and break out of the loop if the next iteration will result in an out of bounds read.
I'll add a PR for this.
Thanks,
--
https://bugs.ruby-lang.org/
Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>