merge revision(s) 26c179d7e7e7ae0eb21050659c3e8778358230ab: [Backport #17026]

	Check argument to ObjectSpace._id2ref

	Ensure that the argument is an Integer or implicitly convert to,
	before dereferencing as a Bignum.  Addressed a regression in
	b99833baec2.

	Reported by u75615 at https://hackerone.com/reports/898614

3 files changed, 13 insertions, 2 deletions

diff --git a/gc.c b/gc.c
index 0c007dffe6..4700234e19 100644
--- a/gc.c
+++ b/gc.c
@@ -3648,6 +3648,7 @@ id2ref(VALUE objid)
     VALUE orig;
     void *p0;
 
+    objid = rb_to_int(objid);
     if (FIXNUM_P(objid) || rb_big_size(objid) <= SIZEOF_VOIDP) {
         ptr = NUM2PTR(objid);
         if (ptr == Qtrue) return Qtrue;
diff --git a/test/ruby/test_objectspace.rb b/test/ruby/test_objectspace.rb
index 243e9f681c..02c20aa261 100644
--- a/test/ruby/test_objectspace.rb
+++ b/test/ruby/test_objectspace.rb
@@ -55,6 +55,16 @@ End
     EOS
   end
 
+  def test_id2ref_invalid_argument
+    msg = /no implicit conversion/
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(nil)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(false)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(true)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(:a)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref("0")}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(Object.new)}
+  end
+
   def test_count_objects
     h = {}
     ObjectSpace.count_objects(h)
diff --git a/version.h b/version.h
index 52d8de1075..c0937dc840 100644
--- a/version.h
+++ b/version.h
@@ -2,11 +2,11 @@
 # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR
 #define RUBY_VERSION_TEENY 1
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 93
+#define RUBY_PATCHLEVEL 94
 
 #define RUBY_RELEASE_YEAR 2020
 #define RUBY_RELEASE_MONTH 7
-#define RUBY_RELEASE_DAY 18
+#define RUBY_RELEASE_DAY 19
 
 #include "ruby/version.h"