diff options
| author | Yukihiro "Matz" Matsumoto <[email protected]> | 2015-12-14 10:46:30 +0900 |
|---|---|---|
| committer | Yukihiro "Matz" Matsumoto <[email protected]> | 2015-12-14 10:59:56 +0900 |
| commit | 2a234a93d769cf90bf52990a89d0817416fd3185 (patch) | |
| tree | d43a54fb32d2798b6c1acb9910d5136499bb6afc | |
| parent | 19c744e14d63996dd5e64db3f8a4440099079ac3 (diff) | |
| download | mruby-2a234a93d769cf90bf52990a89d0817416fd3185.tar.gz mruby-2a234a93d769cf90bf52990a89d0817416fd3185.zip | |
mrb_str_len_to_inum(): string may not be NUL terminated; ref #3043
| -rw-r--r-- | src/string.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/string.c b/src/string.c index 552293a46..eda4c3fb8 100644 --- a/src/string.c +++ b/src/string.c @@ -2124,6 +2124,10 @@ mrb_str_len_to_inum(mrb_state *mrb, const char *str, size_t len, int base, int b } break; } /* end of switch (base) { */ + if (p>=pend) { + if (badcheck) goto bad; + return mrb_fixnum_value(0); + } if (*p == '0') { /* squeeze preceding 0s */ p++; while (p<pend) { @@ -2153,14 +2157,17 @@ mrb_str_len_to_inum(mrb_state *mrb, const char *str, size_t len, int base, int b for ( ;p<pend;p++) { if (*p == '_') { - if (p[1] == '_') { + if (p+1<pend && p[1] == '_') { if (badcheck) goto bad; continue; } p++; + if (badcheck && p<pend) + goto bad; } if (badcheck && *p == '\0') { goto nullbyte; + break; } c = conv_digit(*p); if (c < 0 || c >= base) { @@ -2186,7 +2193,7 @@ mrb_str_len_to_inum(mrb_state *mrb, const char *str, size_t len, int base, int b /* not reached */ bad: mrb_raisef(mrb, E_ARGUMENT_ERROR, "invalid string for number(%S)", - mrb_inspect(mrb, mrb_str_new_cstr(mrb, str))); + mrb_inspect(mrb, mrb_str_new(mrb, str, pend-str))); /* not reached */ return mrb_fixnum_value(0); } |