From d40b922c9803a8ab9ed60108d693940bd31f95b3 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Sat, 20 Jun 2020 18:56:33 +0900
Subject: Fix potential buffer overflow in `sprintf.c`.

---
 mrbgems/mruby-sprintf/src/sprintf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'mrbgems/mruby-sprintf/src/sprintf.c')

diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index 9a7671a24..bf7a4d725 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -842,7 +842,7 @@ retry:
       case 'B':
       case 'u': {
         mrb_value val = GETARG();
-        char nbuf[68], *s;
+        char nbuf[69], *s;
         const char *prefix = NULL;
         int sign = 0, dots = 0;
         char sc = 0;
@@ -914,7 +914,7 @@ retry:
             width--;
           }
           mrb_assert(base == 10);
-          mrb_int2str(nbuf, sizeof(nbuf), v);
+          mrb_int2str(nbuf, sizeof(nbuf)-1, v);
           s = nbuf;
           if (v < 0) s++;       /* skip minus sign */
         }
@@ -927,7 +927,7 @@ retry:
           else {
             val = mrb_fixnum_to_str(mrb, mrb_fixnum_value(v), base);
           }
-          strncpy(++s, RSTRING_PTR(val), sizeof(nbuf)-1);
+          strncpy(++s, RSTRING_PTR(val), sizeof(nbuf)-2);
           if (v < 0) {
             char d;
 
-- 
cgit v1.2.3