From bdac7dfae818908f7459fc086727b717aa586c7d Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Tue, 28 Feb 2017 09:13:51 +0900
Subject: Check if the value is fixnum before mrb_funcall(); fix #3476

The issue is reported by https://hackerone.com/aerodudrizzt
---
 src/string.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/string.c')

diff --git a/src/string.c b/src/string.c
index acf32167d..b5d34b8b5 100644
--- a/src/string.c
+++ b/src/string.c
@@ -959,8 +959,8 @@ mrb_str_cmp_m(mrb_state *mrb, mrb_value str1)
     else {
       mrb_value tmp = mrb_funcall(mrb, str2, "<=>", 1, str1);
 
-      if (mrb_nil_p(tmp)) return mrb_nil_value();
-      if (!mrb_fixnum(tmp)) {
+      if (!mrb_nil_p(tmp)) return mrb_nil_value();
+      if (!mrb_fixnum_p(tmp)) {
         return mrb_funcall(mrb, mrb_fixnum_value(0), "-", 1, tmp);
       }
       result = -mrb_fixnum(tmp);
-- 
cgit v1.2.3