Avoid integer overflow in sprintf(); fix #3439

This issue was reported by https://hackerone.com/aerodudrizzt
author: Yukihiro "Matz" Matsumoto <[email protected]> 2017-02-11 20:35:52 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2017-02-11 20:35:52 +0900
commit: ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17 (patch)
tree: 87b6058f9c9f16e6d07c9ee47990de2a273a97e5 /mrbgems/mruby-sprintf/src/sprintf.c
parent: 642ab8ecdace909b7bd294190e342e58c67ce6c8 (diff)
download: mruby-ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17.tar.gz
mruby-ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index 616277f5e..d02a2aa4d 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -116,8 +116,9 @@ mrb_fix2binstr(mrb_state *mrb, mrb_value x, int base)
 
 #define CHECK(l) do {\
 /*  int cr = ENC_CODERANGE(result);*/\
-  while (blen + (l) >= bsiz) {\
+  while ((l) >= bsiz - blen) {\
     bsiz*=2;\
+    if (bsiz < 0) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \
   }\
   mrb_str_resize(mrb, result, bsiz);\
 /*  ENC_CODERANGE_SET(result, cr);*/\
author	Yukihiro "Matz" Matsumoto <[email protected]>	2017-02-11 20:35:52 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2017-02-11 20:35:52 +0900
commit	ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17 (patch)
tree	87b6058f9c9f16e6d07c9ee47990de2a273a97e5 /mrbgems/mruby-sprintf/src/sprintf.c
parent	642ab8ecdace909b7bd294190e342e58c67ce6c8 (diff)
download	mruby-ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17.tar.gz mruby-ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17.zip