From 24583a7a1806dd1845700e12e8b0b823688e9879 Mon Sep 17 00:00:00 2001
From: cremno <cremno@mail.ru>
Date: Fri, 3 Jul 2015 01:30:54 +0200
Subject: fix oob write by actually truncating buffer

Found by Coverity scan of polyfox-moon:
CID 121927 (#1 of 1): Out-of-bounds write (OVERRUN)
---
 mrbgems/mruby-compiler/core/parse.y | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/mrbgems/mruby-compiler/core/parse.y b/mrbgems/mruby-compiler/core/parse.y
index f6a43d32b..26062967d 100644
--- a/mrbgems/mruby-compiler/core/parse.y
+++ b/mrbgems/mruby-compiler/core/parse.y
@@ -3604,10 +3604,13 @@ toklast(parser_state *p)
 static void
 tokfix(parser_state *p)
 {
-  if (p->bidx >= MRB_PARSER_BUF_SIZE) {
+  int i = p->bidx, imax = MRB_PARSER_BUF_SIZE - 1;
+
+  if (i > imax) {
+    i = imax;
     yyerror(p, "string too long (truncated)");
   }
-  p->buf[p->bidx] = '\0';
+  p->buf[i] = '\0';
 }
 
 static const char*
-- 
cgit v1.2.3