2 files changed, 9 insertions, 9 deletions

diff --git a/ChangeLog b/ChangeLog
index cc8f4238ac..acc2d637af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
-Sun Dec 13 18:23:37 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+Sun Dec 13 18:25:16 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* ext/tk/tkutil/tkutil.c (cbsubst_table_setup): check length of
+	  argument arrays for each access, as callback methods can modify
+	  them.  reported by Marcin 'Icewall' Noga of Cisco Talos.
 
 	* ext/tk/tkutil/tkutil.c (cbsubst_table_setup): check types of
 	  argument elements.  reported by Marcin 'Icewall' Noga of Cisco
diff --git a/ext/tk/tkutil/tkutil.c b/ext/tk/tkutil/tkutil.c
index adc14c0cff..fc9ed2d5e3 100644
--- a/ext/tk/tkutil/tkutil.c
+++ b/ext/tk/tkutil/tkutil.c
@@ -1568,7 +1568,7 @@ cbsubst_table_setup(argc, argv, self)
   const VALUE *infp;
   ID id;
   struct cbsubst_info *subst_inf;
-  long idx, len;
+  long idx;
   unsigned char chr;
 
   /* accept (key_inf, proc_inf) or (key_inf, longkey_inf, procinf) */
@@ -1594,8 +1594,7 @@ cbsubst_table_setup(argc, argv, self)
    *         type  ==> char code or string
    *         ivar  ==> symbol
    */
-  len = RARRAY_LEN(key_inf);
-  for(idx = 0; idx < len; idx++) {
+  for(idx = 0; idx < RARRAY_LEN(key_inf); idx++) {
     inf = RARRAY_AREF(key_inf, idx);
     if (!RB_TYPE_P(inf, T_ARRAY)) continue;
     if (RARRAY_LEN(inf) < 3) continue;
@@ -1622,8 +1621,7 @@ cbsubst_table_setup(argc, argv, self)
    *         type ==> char code or string
    *         ivar ==> symbol
    */
-  len = RARRAY_LEN(longkey_inf);
-  for(idx = 0; idx < len; idx++) {
+  for(idx = 0; idx < RARRAY_LEN(longkey_inf); idx++) {
     inf = RARRAY_AREF(longkey_inf, idx);
     if (!RB_TYPE_P(inf, T_ARRAY)) continue;
     if (RARRAY_LEN(inf) < 3) continue;
@@ -1652,9 +1650,7 @@ cbsubst_table_setup(argc, argv, self)
    *         type  ==> char code or string
    *         proc  ==> proc/method/obj (must respond to 'call')
    */
-  len = RARRAY_LEN(proc_inf);
-  for(idx = 0; idx < len; idx++) {
-    VALUE type, proc;
+  for(idx = 0; idx < RARRAY_LEN(proc_inf); idx++) {
     inf = RARRAY_AREF(proc_inf, idx);
     if (!RB_TYPE_P(inf, T_ARRAY)) continue;
     if (RARRAY_LEN(inf) < 2) continue;