From aaf372ea2f6ac8286a820eaf0c4f6302b60d4418 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sat, 7 Jan 2017 22:52:03 +0000
Subject: console.c: OOB access

* ext/io/console/console.c (console_set_winsize): fix
  out-of-bounds access.  [ruby-core:79004] [Bug #13112]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57280 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ext/io/console/console.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'ext/io/console')

diff --git a/ext/io/console/console.c b/ext/io/console/console.c
index dbbfbb7463..53580d1d4e 100644
--- a/ext/io/console/console.c
+++ b/ext/io/console/console.c
@@ -535,12 +535,14 @@ console_set_winsize(VALUE io, VALUE size)
     VALUE row, col, xpixel, ypixel;
     const VALUE *sz;
     int fd;
+    int sizelen;
 
     GetOpenFile(io, fptr);
     size = rb_Array(size);
-    rb_check_arity(RARRAY_LENINT(size), 2, 4);
+    rb_check_arity(sizelen = RARRAY_LENINT(size), 2, 4);
     sz = RARRAY_CONST_PTR(size);
-    row = sz[0], col = sz[1], xpixel = sz[2], ypixel = sz[3];
+    row = sz[0], col = sz[1], xpixel = ypixel = Qnil;
+    if (sizelen == 4) xpixel = sz[2], ypixel = sz[3];
     fd = GetWriteFD(fptr);
 #if defined TIOCSWINSZ
     ws.ws_row = ws.ws_col = ws.ws_xpixel = ws.ws_ypixel = 0;
-- 
cgit v1.2.3