sprintf.c: fix buffer overflow

* sprintf.c (rb_str_format): fix buffer overflow, length must be
  greater than precision.  reported by William Bowling <will AT
  wbowling.info>.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54304 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

3 files changed, 11 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index f29eaeb92a..1cb85758fe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Mon Mar 28 08:18:51 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* sprintf.c (rb_str_format): fix buffer overflow, length must be
+	  greater than precision.  reported by William Bowling <will AT
+	  wbowling.info>.
+
 Sun Mar 27 12:13:37 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* sprintf.c (rb_str_format): convert Rational to floating point
diff --git a/sprintf.c b/sprintf.c
index 5c1f7780f0..d67ffff08c 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -1070,7 +1070,7 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt)
 		}
 		val = rb_int2str(num, 10);
 		len = RSTRING_LEN(val) + zero;
-		if (prec >= len) ++len; /* integer part 0 */
+		if (prec >= len) len = prec + 1; /* integer part 0 */
 		if (sign || (flags&FSPACE)) ++len;
 		if (prec > 0) ++len; /* period */
 		CHECK(len > width ? len : width);
diff --git a/test/ruby/test_sprintf.rb b/test/ruby/test_sprintf.rb
index 501930a1e5..5732cecbf9 100644
--- a/test/ruby/test_sprintf.rb
+++ b/test/ruby/test_sprintf.rb
@@ -177,6 +177,10 @@ class TestSprintf < Test::Unit::TestCase
     assert_equal("x"*10+"     1.0", sprintf("x"*10+"%8.1f", 1r), bug11766)
   end
 
+  def test_rational_precision
+    assert_match(/\A0\.\d{600}\z/, sprintf("%.600f", 600**~60))
+  end
+
   def test_hash
     options = {:capture=>/\d+/}
     assert_equal("with options {:capture=>/\\d+/}", sprintf("with options %p" % options))