diff options
| author | Yukihiro "Matz" Matsumoto <[email protected]> | 2020-01-06 22:25:47 +0900 |
|---|---|---|
| committer | Yukihiro "Matz" Matsumoto <[email protected]> | 2020-01-06 22:25:47 +0900 |
| commit | c60bccaa9422d28e4d74e6f4cdb4781adcaa50c7 (patch) | |
| tree | d8a094ea6d8a497d91d4ee1de36f0d22343cee26 | |
| parent | 59756aef149dd70d74146526c70679c47cab0811 (diff) | |
| download | mruby-c60bccaa9422d28e4d74e6f4cdb4781adcaa50c7.tar.gz mruby-c60bccaa9422d28e4d74e6f4cdb4781adcaa50c7.zip | |
Check remaining string length before access to avoid OOB access.
| -rw-r--r-- | src/string.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/string.c b/src/string.c index 93e4847d0..01f7d9efa 100644 --- a/src/string.c +++ b/src/string.c @@ -2502,7 +2502,7 @@ mrb_str_len_to_dbl(mrb_state *mrb, const char *s, size_t len, mrb_bool badcheck) if (!p) return 0.0; while (ISSPACE(*p)) p++; - if (p[0] == '0' && (p[1] == 'x' || p[1] == 'X')) { + if (pend - p > 2 && p[0] == '0' && (p[1] == 'x' || p[1] == 'X')) { mrb_value x; x = mrb_str_len_to_inum(mrb, p, pend-p, 0, badcheck); |