From 758353902940e43530dbbbab0d9ce6ded5884923 Mon Sep 17 00:00:00 2001
From: dearblue <dearblue@users.noreply.github.com>
Date: Sat, 22 Jun 2019 16:48:22 +0900
Subject: Fix potential overflow in `utf8len()`

For example on 32 bit mode, when `p = 0xfffffffd`, `e = 0xfffffffe`
and `len = 4`, the sum of `p` and `len` can be to `1`, and comparison
with `e` will to be false.

As a result, a segmentation fault occurs by referring to address 0.
---
 src/string.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/string.c b/src/string.c
index bfe73b359..ed58c484b 100644
--- a/src/string.c
+++ b/src/string.c
@@ -234,7 +234,7 @@ utf8len(const char* p, const char* e)
   mrb_int i;
 
   len = utf8len_codepage[(unsigned char)*p];
-  if (p + len > e) return 1;
+  if (len > e - p) return 1;
   for (i = 1; i < len; ++i)
     if ((p[i] & 0xc0) != 0x80)
       return 1;
-- 
cgit v1.2.3