Recheck array length after `to_str` conversion

https://hackerone.com/reports/244787

2 files changed, 14 insertions, 1 deletions

diff --git a/array.c b/array.c
index 0af73715de..7925b26e07 100644
--- a/array.c
+++ b/array.c
@@ -2374,7 +2374,9 @@ rb_ary_join(VALUE ary, VALUE sep)
 
 	if (NIL_P(tmp) || tmp != val) {
 	    int first;
-	    result = rb_str_buf_new(len + (RARRAY_LEN(ary)-i)*10);
+            long n = RARRAY_LEN(ary);
+            if (i > n) i = n;
+            result = rb_str_buf_new(len + (n-i)*10);
 	    rb_enc_associate(result, rb_usascii_encoding());
             i = ary_join_0(ary, sep, i, result);
 	    first = i == 0;
diff --git a/test/ruby/test_array.rb b/test/ruby/test_array.rb
index c3b842e950..fcfda92487 100644
--- a/test/ruby/test_array.rb
+++ b/test/ruby/test_array.rb
@@ -2457,6 +2457,17 @@ class TestArray < Test::Unit::TestCase
     assert_equal("ab012z", x.ary.join(""))
   end
 
+  def test_join_recheck_array_length
+    x = Struct.new(:ary).new
+    def x.to_str
+      ary.clear
+      ary[0] = "b"
+      "z"
+    end
+    x.ary = Array.new(1023) {"a"*1} << x
+    assert_equal("b", x.ary.join(""))
+  end
+
   def test_to_a2
     klass = Class.new(Array)
     a = klass.new.to_a