Recheck array length after `to_str` conversion

https://hackerone.com/reports/244787

array.c

@@ -2374,7 +2374,9 @@ rb_ary_join(VALUE ary, VALUE sep)
 
 	if (NIL_P(tmp) || tmp != val) {
 	    int first;
-	    result = rb_str_buf_new(len + (RARRAY_LEN(ary)-i)*10);
+            long n = RARRAY_LEN(ary);
+            if (i > n) i = n;
+            result = rb_str_buf_new(len + (n-i)*10);
 	    rb_enc_associate(result, rb_usascii_encoding());
             i = ary_join_0(ary, sep, i, result);
 	    first = i == 0;

test/ruby/test_array.rb

@@ -2457,6 +2457,17 @@ class TestArray < Test::Unit::TestCase
     assert_equal("ab012z", x.ary.join(""))
   end
 
+  def test_join_recheck_array_length
+    x = Struct.new(:ary).new
+    def x.to_str
+      ary.clear
+      ary[0] = "b"
+      "z"
+    end
+    x.ary = Array.new(1023) {"a"*1} << x
+    assert_equal("b", x.ary.join(""))
+  end
+
   def test_to_a2
     klass = Class.new(Array)
     a = klass.new.to_a