From 2a234a93d769cf90bf52990a89d0817416fd3185 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Mon, 14 Dec 2015 10:46:30 +0900
Subject: mrb_str_len_to_inum(): string may not be NUL terminated; ref #3043

---
 src/string.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'src/string.c')

diff --git a/src/string.c b/src/string.c
index 552293a46..eda4c3fb8 100644
--- a/src/string.c
+++ b/src/string.c
@@ -2124,6 +2124,10 @@ mrb_str_len_to_inum(mrb_state *mrb, const char *str, size_t len, int base, int b
       }
       break;
   } /* end of switch (base) { */
+  if (p>=pend) {
+    if (badcheck) goto bad;
+    return mrb_fixnum_value(0);
+  }
   if (*p == '0') {    /* squeeze preceding 0s */
     p++;
     while (p<pend) {
@@ -2153,14 +2157,17 @@ mrb_str_len_to_inum(mrb_state *mrb, const char *str, size_t len, int base, int b
 
   for ( ;p<pend;p++) {
     if (*p == '_') {
-      if (p[1] == '_') {
+      if (p+1<pend && p[1] == '_') {
         if (badcheck) goto bad;
         continue;
       }
       p++;
+      if (badcheck && p<pend)
+        goto bad;
     }
     if (badcheck && *p == '\0') {
       goto nullbyte;
+      break;
     }
     c = conv_digit(*p);
     if (c < 0 || c >= base) {
@@ -2186,7 +2193,7 @@ mrb_str_len_to_inum(mrb_state *mrb, const char *str, size_t len, int base, int b
   /* not reached */
  bad:
   mrb_raisef(mrb, E_ARGUMENT_ERROR, "invalid string for number(%S)",
-             mrb_inspect(mrb, mrb_str_new_cstr(mrb, str)));
+             mrb_inspect(mrb, mrb_str_new(mrb, str, pend-str)));
   /* not reached */
   return mrb_fixnum_value(0);
 }
-- 
cgit v1.2.3