From ff41663403d3eb76d95f465cb94e14d2faaa04d1 Mon Sep 17 00:00:00 2001
From: Kazuki Tsujimoto <kazuki@callcc.net>
Date: Tue, 19 Nov 2019 09:35:47 -0600
Subject: Fix memory corruption in Enumerable#reverse_each [ruby-dev:50867]
 [Bug #16354]

---
 enum.c                 | 12 +++++++++---
 test/ruby/test_enum.rb | 13 +++++++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/enum.c b/enum.c
index 0653280f8f..a41144993e 100644
--- a/enum.c
+++ b/enum.c
@@ -2419,14 +2419,20 @@ static VALUE
 enum_reverse_each(int argc, VALUE *argv, VALUE obj)
 {
     VALUE ary;
-    long i;
+    long len;
 
     RETURN_SIZED_ENUMERATOR(obj, argc, argv, enum_size);
 
     ary = enum_to_a(argc, argv, obj);
 
-    for (i = RARRAY_LEN(ary); --i >= 0; ) {
-	rb_yield(RARRAY_AREF(ary, i));
+    len = RARRAY_LEN(ary);
+    while (len--) {
+        long nlen;
+        rb_yield(RARRAY_AREF(ary, len));
+        nlen = RARRAY_LEN(ary);
+        if (nlen < len) {
+            len = nlen;
+        }
     }
 
     return obj;
diff --git a/test/ruby/test_enum.rb b/test/ruby/test_enum.rb
index 5fbb2d3663..7b647231c8 100644
--- a/test/ruby/test_enum.rb
+++ b/test/ruby/test_enum.rb
@@ -735,6 +735,19 @@ class TestEnumerable < Test::Unit::TestCase
     assert_equal([2,1,3,2,1], @obj.reverse_each.to_a)
   end
 
+  def test_reverse_each_memory_corruption
+    bug16354 = '[ruby-dev:50867]'
+    assert_normal_exit %q{
+      size = 1000
+      (0...size).reverse_each do |i|
+        i.inspect
+        ObjectSpace.each_object(Array) do |a|
+          a.clear if a.length == size
+        end
+      end
+    }, bug16354
+  end
+
   def test_chunk
     e = [].chunk {|elt| true }
     assert_equal([], e.to_a)
-- 
cgit v1.2.3