Fix length calculation for Array#slice!

Commit 4f24255 introduced a bug which allows a length to be passed to rb_ary_new4 which is too large, resulting in invalid memory access. For example: (1..1000).to_a.slice!(-2, 1000)
2021-08-28 10:29:17 -04:00 · 2021-08-28 10:29:17 -04:00 · d43279edac
--- a/array.c
+++ b/array.c
@ -4096,7 +4096,7 @@ ary_slice_bang_by_rb_ary_splice(VALUE ary, long pos, long len)
    else if (orig_len < pos) {
        return Qnil;
    }
-    else if (orig_len < pos + len) {
+    if (orig_len < pos + len) {
        len = orig_len - pos;
    }
    if (len == 0) {