2 files changed, 11 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index ea80c54e63..798d9dd7c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu May 23 17:35:30 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* load.c (loaded_feature_path): fix invalid read by index underflow.
+	  the beginning of name is also a boundary as well as just after '/'.
+
 Thu May 23 17:21:22 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* gc.c (gc_profile_dump_on): revert r40898.  ok to show the record
diff --git a/load.c b/load.c
index c478f095d7..5bd735a71b 100644
--- a/load.c
+++ b/load.c
@@ -315,7 +315,7 @@ loaded_feature_path(const char *name, long vlen, const char *feature, long len,
 
     if (vlen < len+1) return 0;
     if (!strncmp(name+(vlen-len), feature, len)) {
-	plen = vlen - len - 1;
+	plen = vlen - len;
     }
     else {
 	for (e = name + vlen; name != e && *e != '.' && *e != '/'; --e);
@@ -323,19 +323,20 @@ loaded_feature_path(const char *name, long vlen, const char *feature, long len,
 	    e-name < len ||
 	    strncmp(e-len, feature, len))
 	    return 0;
-	plen = e - name - len - 1;
+	plen = e - name - len;
     }
-    if (name[plen] != '/') {
+    if (plen > 0 && name[plen-1] != '/') {
 	return 0;
     }
-    if (type == 's' ? !IS_DLEXT(&name[plen+len+1]) :
-	type == 'r' ? !IS_RBEXT(&name[plen+len+1]) :
+    if (type == 's' ? !IS_DLEXT(&name[plen+len]) :
+	type == 'r' ? !IS_RBEXT(&name[plen+len]) :
 	0) {
 	return 0;
     }
     /* Now name == "#{prefix}/#{feature}#{ext}" where ext is acceptable
        (possibly empty) and prefix is some string of length plen. */
 
+    if (plen > 0) --plen;	/* exclude '.' */
     for (i = 0; i < RARRAY_LEN(load_path); ++i) {
 	VALUE p = RARRAY_AREF(load_path, i);
 	const char *s = StringValuePtr(p);