From b7f9a58757bdf30e9d64191ac47d81144e3f6098 Mon Sep 17 00:00:00 2001
From: Bouke van der Bijl <boukevanderbijl@gmail.com>
Date: Wed, 16 Nov 2016 17:14:16 -0500
Subject: Fix null pointer dereference in mrb_time_initialize

Reported by https://hackerone.com/raydot
---
 mrbgems/mruby-time/src/time.c   |  4 ++--
 mrbgems/mruby-time/test/time.rb | 11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/mrbgems/mruby-time/src/time.c b/mrbgems/mruby-time/src/time.c
index 5c23bd44a..dfd4450da 100644
--- a/mrbgems/mruby-time/src/time.c
+++ b/mrbgems/mruby-time/src/time.c
@@ -587,14 +587,14 @@ mrb_time_initialize(mrb_state *mrb, mrb_value self)
   int n;
   struct mrb_time *tm;
 
+  n = mrb_get_args(mrb, "|iiiiiii",
+       &ayear, &amonth, &aday, &ahour, &amin, &asec, &ausec);
   tm = (struct mrb_time*)DATA_PTR(self);
   if (tm) {
     mrb_free(mrb, tm);
   }
   mrb_data_init(self, NULL, &mrb_time_type);
 
-  n = mrb_get_args(mrb, "|iiiiiii",
-       &ayear, &amonth, &aday, &ahour, &amin, &asec, &ausec);
   if (n == 0) {
     tm = current_mrb_time(mrb);
   }
diff --git a/mrbgems/mruby-time/test/time.rb b/mrbgems/mruby-time/test/time.rb
index 759e2881d..91a646759 100644
--- a/mrbgems/mruby-time/test/time.rb
+++ b/mrbgems/mruby-time/test/time.rb
@@ -211,3 +211,14 @@ assert('2000 times 500us make a second') do
   end
   t.usec == 0
 end
+
+assert("Time#initialize doens't leave uninitialized object accessible") do
+  assert_raise ArgumentError do
+    $x = Time.new
+    a = Object.new
+    def a.to_i
+      $x.mday
+    end
+    $x.initialize a
+  end
+end
-- 
cgit v1.2.3