Merge pull request #3503 from nobu/bug/sprintf-oob

Fix out-of-bound access

2 files changed, 12 insertions, 0 deletions

diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index cc00198d0..09a26f827 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -567,6 +567,7 @@ mrb_str_format(mrb_state *mrb, int argc, const mrb_value *argv, mrb_value fmt)
     mrb_sym id = 0;
 
     for (t = p; t < end && *t != '%'; t++) ;
+    if (t + 1 == end) ++t;
     PUSH(p, t - p);
     if (t >= end)
       goto sprint_exit; /* end of fmt string */
diff --git a/mrbgems/mruby-sprintf/test/sprintf.rb b/mrbgems/mruby-sprintf/test/sprintf.rb
index ccbd95d51..178904d60 100644
--- a/mrbgems/mruby-sprintf/test/sprintf.rb
+++ b/mrbgems/mruby-sprintf/test/sprintf.rb
@@ -30,3 +30,14 @@ assert("String#% with invalid chr") do
     end
   end
 end
+
+assert("String#% invalid format") do
+  assert_raise ArgumentError do
+    "%?" % ""
+  end
+end
+
+assert("String#% invalid format shared substring") do
+  fmt = ("x"*30+"%!")[0...-1]
+  assert_equal fmt, sprintf(fmt, "")
+end