Fix integer overflow issue; fix #4108

I misunderstood the return value from `snprintf()`, which is NOT number
of characters written in buffer, but the number of character the buffer
has to have to write the complete output.

1 files changed, 7 insertions, 3 deletions

diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index 738c5485f..ea127c574 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -1057,17 +1057,21 @@ retry:
             need = BIT_DIGITS(i);
         }
         need += (flags&FPREC) ? prec : 6;
+        if (need < 0) {
+        too_big_width:
+          mrb_raise(mrb, E_ARGUMENT_ERROR,
+                    (width > prec ? "width too big" : "prec too big"));
+        }
         if ((flags&FWIDTH) && need < width)
           need = width;
         need += 20;
         if (need <= 0) {
-          mrb_raise(mrb, E_ARGUMENT_ERROR,
-                    (width > prec ? "width too big" : "prec too big"));
+          goto too_big_width;
         }
 
         CHECK(need);
         n = snprintf(&buf[blen], need, fbuf, fval);
-        if (n < 0) {
+        if (n < 0 || n >= need) {
           mrb_raise(mrb, E_RUNTIME_ERROR, "formatting error");
         }
         blen += n;