Avoid integer overflow in sprintf()

merged https://github.com/mruby/mruby/commit/ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@58034 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-03-20 01:36:08 +0000
committer: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-03-20 01:36:08 +0000
commit: 03c7232c3e5acc81fce35c3daf78e0856d218801 (patch)
tree: 682578e1da180b7f65fc7a4b4549316a85592a88 /sprintf.c
parent: 5755613b87e76fcd22cf333834f2f5c8ace9522e (diff)
download: ruby-03c7232c3e5acc81fce35c3daf78e0856d218801.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/sprintf.c b/sprintf.c
index 0438b5e32c..92738783eb 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -55,8 +55,9 @@ sign_bits(int base, const char *p)
 
 #define CHECK(l) do {\
     int cr = ENC_CODERANGE(result);\
-    while (blen + (l) >= bsiz) {\
+    while ((l) >= bsiz - blen) {\
 	bsiz*=2;\
+	if (bsiz<0) rb_raise(rb_eArgError, "too big specifier");\
     }\
     rb_str_resize(result, bsiz);\
     ENC_CODERANGE_SET(result, cr);\
author	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-03-20 01:36:08 +0000
committer	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-03-20 01:36:08 +0000
commit	03c7232c3e5acc81fce35c3daf78e0856d218801 (patch)
tree	682578e1da180b7f65fc7a4b4549316a85592a88 /sprintf.c
parent	5755613b87e76fcd22cf333834f2f5c8ace9522e (diff)
download	ruby-03c7232c3e5acc81fce35c3daf78e0856d218801.tar.gz