* array.c (rb_ary_combination): fixed memory corruption due to too

  small memory allocation

* array.c (rb_ary_product): accessing out of memory bounds.
  condition fixed.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13682 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 10 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 1362301355..68a2db5f32 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,14 @@ Fri Oct 12 15:04:54 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* trunk/parse.y (parser_yylex): ditto.
 
+Fri Oct 12 12:44:11 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* array.c (rb_ary_combination): fixed memory corruption due to too
+	  small memory allocation
+
+	* array.c (rb_ary_product): accessing out of memory bounds.
+	  condition fixed.
+
 Thu Oct 11 21:10:17 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* include/ruby/node.h (NOEX_LOCAL): remove unused local visibility.
diff --git a/array.c b/array.c
index 6360571e40..85573015a7 100644
--- a/array.c
+++ b/array.c
@@ -3112,7 +3112,7 @@ rb_ary_combination(VALUE ary, VALUE num)
 	}
     }
     else {
-	volatile VALUE t0 = tmpbuf(n, sizeof(long));
+	volatile VALUE t0 = tmpbuf(n+1, sizeof(long));
 	long *stack = (long*)RSTRING_PTR(t0);
 	long nlen = combi_len(len, n);
 	volatile VALUE cc = rb_ary_new2(n);
@@ -3199,7 +3199,7 @@ rb_ary_product(int argc, VALUE *argv, VALUE ary)
 	 */
 	m = n-1;
 	counters[m]++;
-	while (m >= 0 && counters[m] == RARRAY_LEN(arrays[m])) {
+	while (m > 0 && counters[m] == RARRAY_LEN(arrays[m])) {
 	    counters[m] = 0;
 	    m--;
 	    counters[m]++;