From 94395e81c1e853fbfd507a0d12e5836a64bf0ce7 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Sat, 11 Mar 2017 15:22:54 +0900
Subject: The width printf specifier may be negative; fix #3498

---
 mrbgems/mruby-sprintf/src/sprintf.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'mrbgems/mruby-sprintf/src/sprintf.c')

diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index fcda7733d..cc00198d0 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -116,6 +116,7 @@ mrb_fix2binstr(mrb_state *mrb, mrb_value x, int base)
 
 #define CHECK(l) do {\
 /*  int cr = ENC_CODERANGE(result);*/\
+  if ((l) < 0) mrb_raise(mrb, E_ARGUMENT_ERROR, "illegal specifier"); \
   while ((l) >= bsiz - blen) {\
     bsiz*=2;\
     if (bsiz < 0) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \
@@ -766,7 +767,7 @@ retry:
             width -= (int)slen;
             if (!(flags&FMINUS)) {
               CHECK(width);
-              while (width--) {
+              while (width-- > 0) {
                 buf[blen++] = ' ';
               }
             }
@@ -775,7 +776,7 @@ retry:
             blen += len;
             if (flags&FMINUS) {
               CHECK(width);
-              while (width--) {
+              while (width-- > 0) {
                 buf[blen++] = ' ';
               }
             }
@@ -982,7 +983,7 @@ retry:
           width -= prec;
         }
 
-        if (!(flags&FMINUS)) {
+        if (!(flags&FMINUS) && width > 0) {
           CHECK(width);
           while (width-- > 0) {
             buf[blen++] = ' ';
@@ -1012,9 +1013,11 @@ retry:
         }
 
         PUSH(s, len);
-        CHECK(width);
-        while (width-- > 0) {
-          buf[blen++] = ' ';
+        if (width > 0) {
+          CHECK(width);
+          while (width-- > 0) {
+            buf[blen++] = ' ';
+          }
         }
       }
       break;
-- 
cgit v1.2.3