From f690eb34e28b000627e5f0649dd81a04e252286f Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Sat, 2 Jan 2021 12:11:52 +0900
Subject: [PATCH] Fixed dangling imemo_tmpbuf

The count of rb_alloc_tmp_buffer_with_count is the allocation size
counted in VALUE size but not in the requested element size.

Co-authored-by: Yusuke Endoh <mame@ruby-lang.org>
Co-authored-by: Koichi Sasada <ko1@atdot.net>
---
 include/ruby/internal/memory.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/ruby/internal/memory.h b/include/ruby/internal/memory.h
index 974c21e19ce8..7d24df494512 100644
--- a/include/ruby/internal/memory.h
+++ b/include/ruby/internal/memory.h
@@ -250,8 +250,9 @@ rbimpl_size_mul_or_raise(size_t x, size_t y)
 static inline void *
 rb_alloc_tmp_buffer2(volatile VALUE *store, long count, size_t elsize)
 {
-    return rb_alloc_tmp_buffer_with_count(
-        store, rbimpl_size_mul_or_raise(count, elsize), count);
+    const size_t total_size = rbimpl_size_mul_or_raise(count, elsize);
+    const size_t cnt = (total_size + sizeof(VALUE) - 1) / sizeof(VALUE);
+    return rb_alloc_tmp_buffer_with_count(store, total_size, cnt);
 }
 
 #ifndef __MINGW32__