From ff03a9a61c62340cff62f8e0fdc1a1e8775b6f17 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Sat, 11 Feb 2017 20:35:52 +0900
Subject: Avoid integer overflow in sprintf(); fix #3439

This issue was reported by https://hackerone.com/aerodudrizzt
---
 mrbgems/mruby-sprintf/src/sprintf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'mrbgems/mruby-sprintf/src/sprintf.c')

diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index 616277f5e..d02a2aa4d 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -116,8 +116,9 @@ mrb_fix2binstr(mrb_state *mrb, mrb_value x, int base)
 
 #define CHECK(l) do {\
 /*  int cr = ENC_CODERANGE(result);*/\
-  while (blen + (l) >= bsiz) {\
+  while ((l) >= bsiz - blen) {\
     bsiz*=2;\
+    if (bsiz < 0) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \
   }\
   mrb_str_resize(mrb, result, bsiz);\
 /*  ENC_CODERANGE_SET(result, cr);*/\
-- 
cgit v1.2.3