From 21ed0e933bea698c7c8ab56590fa0469c7a6d099 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 27 Mar 2016 23:18:52 +0000
Subject: sprintf.c: fix buffer overflow

* sprintf.c (rb_str_format): fix buffer overflow, length must be
  greater than precision.  reported by William Bowling <will AT
  wbowling.info>.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54304 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 sprintf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sprintf.c')

diff --git a/sprintf.c b/sprintf.c
index 5c1f7780f0..d67ffff08c 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -1070,7 +1070,7 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt)
 		}
 		val = rb_int2str(num, 10);
 		len = RSTRING_LEN(val) + zero;
-		if (prec >= len) ++len; /* integer part 0 */
+		if (prec >= len) len = prec + 1; /* integer part 0 */
 		if (sign || (flags&FSPACE)) ++len;
 		if (prec > 0) ++len; /* period */
 		CHECK(len > width ? len : width);
-- 
cgit v1.2.3