From 4550f4e38153c623537e6df53a4fe7c1c063adc0 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Thu, 15 Nov 2018 02:03:54 +0900
Subject: Pattern length may overflow `uint16_t`; fixed #4163

The issue is reported by `https://hackerone.com/dgaletic`.
---
 mrbgems/mruby-string-ext/src/string.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'mrbgems/mruby-string-ext/src/string.c')

diff --git a/mrbgems/mruby-string-ext/src/string.c b/mrbgems/mruby-string-ext/src/string.c
index 460c8509e..cfc194906 100644
--- a/mrbgems/mruby-string-ext/src/string.c
+++ b/mrbgems/mruby-string-ext/src/string.c
@@ -282,7 +282,7 @@ tr_parse_pattern(mrb_state *mrb, struct tr_pattern *ret, const mrb_value v_patte
   mrb_int pattern_length = RSTRING_LEN(v_pattern);
   mrb_bool flag_reverse = FALSE;
   struct tr_pattern *pat1;
-  int i = 0;
+  mrb_int i = 0;
 
   if(flag_reverse_enable && pattern_length >= 2 && pattern[0] == '^') {
     flag_reverse = TRUE;
@@ -313,8 +313,8 @@ tr_parse_pattern(mrb_state *mrb, struct tr_pattern *ret, const mrb_value v_patte
     }
     else {
       /* in order pattern. */
-      int start_pos = i++;
-      int len;
+      mrb_int start_pos = i++;
+      mrb_int len;
 
       while (i < pattern_length) {
 	if ((i+2) < pattern_length && pattern[i] != '\\' && pattern[i+1] == '-')
@@ -323,6 +323,9 @@ tr_parse_pattern(mrb_state *mrb, struct tr_pattern *ret, const mrb_value v_patte
       }
 
       len = i - start_pos;
+      if (len > UINT16_MAX) {
+        mrb_raise(mrb, E_ARGUMENT_ERROR, "tr pattern too long (max 65536)");
+      }
       if (pat1 == NULL && ret) {
         goto nomem;
       }
-- 
cgit v1.2.3