From 0c436bbfbf3b28fab8abfcbda9b8f388fa22290a Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Mon, 20 Jan 2020 00:41:56 +0900
Subject: Recheck array length after `to_str` conversion

https://hackerone.com/reports/244787
---
 array.c                 |  4 +++-
 test/ruby/test_array.rb | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/array.c b/array.c
index 0af73715de..7925b26e07 100644
--- a/array.c
+++ b/array.c
@@ -2374,7 +2374,9 @@ rb_ary_join(VALUE ary, VALUE sep)
 
 	if (NIL_P(tmp) || tmp != val) {
 	    int first;
-	    result = rb_str_buf_new(len + (RARRAY_LEN(ary)-i)*10);
+            long n = RARRAY_LEN(ary);
+            if (i > n) i = n;
+            result = rb_str_buf_new(len + (n-i)*10);
 	    rb_enc_associate(result, rb_usascii_encoding());
             i = ary_join_0(ary, sep, i, result);
 	    first = i == 0;
diff --git a/test/ruby/test_array.rb b/test/ruby/test_array.rb
index c3b842e950..fcfda92487 100644
--- a/test/ruby/test_array.rb
+++ b/test/ruby/test_array.rb
@@ -2457,6 +2457,17 @@ class TestArray < Test::Unit::TestCase
     assert_equal("ab012z", x.ary.join(""))
   end
 
+  def test_join_recheck_array_length
+    x = Struct.new(:ary).new
+    def x.to_str
+      ary.clear
+      ary[0] = "b"
+      "z"
+    end
+    x.ary = Array.new(1023) {"a"*1} << x
+    assert_equal("b", x.ary.join(""))
+  end
+
   def test_to_a2
     klass = Class.new(Array)
     a = klass.new.to_a
-- 
cgit v1.2.3