From 57d6dd5a461202f9824c3d1b8d3e5304aca2d21c Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 20 Mar 2017 01:36:08 +0000
Subject: Avoid integer overflow in sprintf()

merged https://github.com/mruby/mruby/commit/ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@58034 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 sprintf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'sprintf.c')

diff --git a/sprintf.c b/sprintf.c
index 0438b5e32c..92738783eb 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -55,8 +55,9 @@ sign_bits(int base, const char *p)
 
 #define CHECK(l) do {\
     int cr = ENC_CODERANGE(result);\
-    while (blen + (l) >= bsiz) {\
+    while ((l) >= bsiz - blen) {\
 	bsiz*=2;\
+	if (bsiz<0) rb_raise(rb_eArgError, "too big specifier");\
     }\
     rb_str_resize(result, bsiz);\
     ENC_CODERANGE_SET(result, cr);\
-- 
cgit v1.2.3