From ba72d00e241d756410a781b482d106518b90501a Mon Sep 17 00:00:00 2001
From: ngoto <ngoto@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 15 Jul 2016 13:08:54 +0000
Subject: * string.c (str_buf_cat): Fix potential interger overflow of capa.  
 In addition, termlen is used instead of +1.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55692 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 string.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'string.c')

diff --git a/string.c b/string.c
index 514488fd93..ec26a589f1 100644
--- a/string.c
+++ b/string.c
@@ -2562,6 +2562,7 @@ str_buf_cat(VALUE str, const char *ptr, long len)
     long capa, total, olen, off = -1;
     char *sptr;
     const int termlen = TERM_LEN(str);
+    assert(termlen < RSTRING_EMBED_LEN_MAX + 1); /* < (LONG_MAX/2) */
 
     RSTRING_GETMEM(str, sptr, olen);
     if (ptr >= sptr && ptr <= sptr + olen) {
@@ -2586,11 +2587,11 @@ str_buf_cat(VALUE str, const char *ptr, long len)
     if (capa <= total) {
 	if (LIKELY(capa > 0)) {
 	    while (total > capa) {
-		if (capa > LONG_MAX / 2) {
+		if (capa > LONG_MAX / 2 - termlen) {
 		    capa = (total + 4095) / 4096 * 4096;
 		    break;
 		}
-		capa = 2 * capa + 1;
+		capa = 2 * capa + termlen; /* == 2*(capa+termlen)-termlen */
 	    }
 	}
 	else {
-- 
cgit v1.2.3