From 83005d83d8ba95524436409d5d73fd82b63bc115 Mon Sep 17 00:00:00 2001
From: Craig Lehmann <cplehm@users.noreply.github.com>
Date: Tue, 15 Nov 2016 14:50:52 -0500
Subject: Read length after args in String#setbyte

Prevents RCE
Reported by https://hackerone.com/raydot
---
 mrbgems/mruby-string-ext/src/string.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'mrbgems/mruby-string-ext/src/string.c')

diff --git a/mrbgems/mruby-string-ext/src/string.c b/mrbgems/mruby-string-ext/src/string.c
index 122ee5454..dfac907ec 100644
--- a/mrbgems/mruby-string-ext/src/string.c
+++ b/mrbgems/mruby-string-ext/src/string.c
@@ -23,10 +23,11 @@ static mrb_value
 mrb_str_setbyte(mrb_state *mrb, mrb_value str)
 {
   mrb_int pos, byte;
-  long len = RSTRING_LEN(str);
+  long len;
 
   mrb_get_args(mrb, "ii", &pos, &byte);
 
+  len = RSTRING_LEN(str);
   if (pos < -len || len <= pos)
     mrb_raisef(mrb, E_INDEX_ERROR, "index %S is out of array", mrb_fixnum_value(pos));
   if (pos < 0)
-- 
cgit v1.2.3