From 53ee1a78269df388224db950d40486b11d5559c3 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Tue, 30 Dec 2025 18:20:41 +0900
Subject: [PATCH] bigint.c: fix memory leak in mpz_div_2exp

mpz_div_2exp() was calling mpz_init_heap() on output parameter z
without first freeing z's existing memory. When called from
mpz_barrett_reduce() with pre-allocated temporaries, this caused
memory leaks.

Add mpz_clear(ctx, z) before mpz_init_heap() in both affected code
paths, matching the pattern already used in mpz_mod_2exp().

Fixes ClusterFuzz issue detected with input "8.pow 7*2515881+186,8 ^4>>-509".

Co-authored-by: Claude <noreply@anthropic.com>
---
 mrbgems/mruby-bigint/core/bigint.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mrbgems/mruby-bigint/core/bigint.c b/mrbgems/mruby-bigint/core/bigint.c
index 9506323de5..59756d55fa 100644
--- a/mrbgems/mruby-bigint/core/bigint.c
+++ b/mrbgems/mruby-bigint/core/bigint.c
@@ -2091,6 +2091,7 @@ mpz_div_2exp(mpz_ctx_t *ctx, mpz_t *z, mpz_t *x, mrb_int e)
   short sn = x->sn;
   if (e == 0) {
     if (z != x) {
+      mpz_clear(ctx, z);
       mpz_init_heap(ctx, z, x->sz);
       mpz_set(ctx, z, x);
     }
@@ -2113,6 +2114,7 @@ mpz_div_2exp(mpz_ctx_t *ctx, mpz_t *z, mpz_t *x, mrb_int e)
     for (size_t i = 0; i < new_size; i++)
       y.p[i] = x->p[i + digs];
     if (bs) {
+      mpz_clear(ctx, z);
       mpz_init_heap(ctx, z, new_size);
       urshift(ctx, z, &y, bs);
       mpz_clear(ctx, &y);