From 83005d83d8ba95524436409d5d73fd82b63bc115 Mon Sep 17 00:00:00 2001
From: Craig Lehmann <cplehm@users.noreply.github.com>
Date: Tue, 15 Nov 2016 14:50:52 -0500
Subject: Read length after args in String#setbyte

Prevents RCE
Reported by https://hackerone.com/raydot
---
 mrbgems/mruby-string-ext/test/string.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'mrbgems/mruby-string-ext/test')

diff --git a/mrbgems/mruby-string-ext/test/string.rb b/mrbgems/mruby-string-ext/test/string.rb
index a5d55a7ee..228a236af 100644
--- a/mrbgems/mruby-string-ext/test/string.rb
+++ b/mrbgems/mruby-string-ext/test/string.rb
@@ -30,6 +30,18 @@ assert('String#setbyte') do
   assert_equal("Hello", str1)
 end
 
+assert("String#setbyte raises IndexError if arg conversion resizes String") do
+  $s = "01234\n"
+  class Tmp
+      def to_i
+          $s.chomp! ''
+          95
+      end
+  end
+  tmp = Tmp.new
+  assert_raise(IndexError) { $s.setbyte(5, tmp) }
+end
+
 assert('String#byteslice') do
   str1 = "hello"
   assert_equal("e", str1.byteslice(1))
-- 
cgit v1.2.3