From 9be80649453d30dd9c010af2ee1132753b4417dc Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 13 Sep 2016 08:12:54 +0000
Subject: string.c: fix integer overflow

* string.c (rb_str_change_terminator_length): fix integer overflow
  in the case growing the terminator length and the string length
  is around LONG_MAX.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56149 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 string.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/string.c b/string.c
index 4197a174fb..450a5590e6 100644
--- a/string.c
+++ b/string.c
@@ -2054,7 +2054,8 @@ rb_str_change_terminator_length(VALUE str, const int oldtermlen, const int terml
     long capa = str_capacity(str, oldtermlen);
     long len = RSTRING_LEN(str);
 
-    if (capa < len + termlen - oldtermlen) {
+    assert(capa >= len);
+    if (capa - len < termlen - oldtermlen) {
 	rb_check_lockedtmp(str);
 	str_make_independent_expand(str, len, 0L, termlen);
     }
-- 
cgit v1.2.3