From 94fb86f89b131814201596d301f584dfe4547526 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Sat, 13 Feb 2021 14:06:37 +0900
Subject: parse.y: string buffer (`tokbuf`) can overflow.

Check if `esclen` is smaller than `len` (original string length).
---
 mrbgems/mruby-compiler/core/parse.y | 1 +
 mrbgems/mruby-compiler/core/y.tab.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/mrbgems/mruby-compiler/core/parse.y b/mrbgems/mruby-compiler/core/parse.y
index 1a97b3ec6..56b9bb38a 100644
--- a/mrbgems/mruby-compiler/core/parse.y
+++ b/mrbgems/mruby-compiler/core/parse.y
@@ -4682,6 +4682,7 @@ heredoc_remove_indent(parser_state *p, parser_heredoc_info *hinf)
       start = 0;
       while (start < len) {
         end = escaped ? (size_t)escaped->car : len;
+        if (end > len) end = len;
         spaces = (size_t)nspaces->car;
         size_t esclen = end - start;
         heredoc_count_indent(hinf, str + start, esclen, spaces, &offset);
diff --git a/mrbgems/mruby-compiler/core/y.tab.c b/mrbgems/mruby-compiler/core/y.tab.c
index 6c7940a7b..0ba1c8d7f 100644
--- a/mrbgems/mruby-compiler/core/y.tab.c
+++ b/mrbgems/mruby-compiler/core/y.tab.c
@@ -10718,6 +10718,7 @@ heredoc_remove_indent(parser_state *p, parser_heredoc_info *hinf)
       start = 0;
       while (start < len) {
         end = escaped ? (size_t)escaped->car : len;
+        if (end > len) end = len;
         spaces = (size_t)nspaces->car;
         size_t esclen = end - start;
         heredoc_count_indent(hinf, str + start, esclen, spaces, &offset);
-- 
cgit v1.2.3