From c60bccaa9422d28e4d74e6f4cdb4781adcaa50c7 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Mon, 6 Jan 2020 22:25:47 +0900
Subject: Check remaining string length before access to avoid OOB access.

---
 src/string.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/string.c b/src/string.c
index 93e4847d0..01f7d9efa 100644
--- a/src/string.c
+++ b/src/string.c
@@ -2502,7 +2502,7 @@ mrb_str_len_to_dbl(mrb_state *mrb, const char *s, size_t len, mrb_bool badcheck)
   if (!p) return 0.0;
   while (ISSPACE(*p)) p++;
 
-  if (p[0] == '0' && (p[1] == 'x' || p[1] == 'X')) {
+  if (pend - p > 2 && p[0] == '0' && (p[1] == 'x' || p[1] == 'X')) {
     mrb_value x;
 
     x = mrb_str_len_to_inum(mrb, p, pend-p, 0, badcheck);
-- 
cgit v1.2.3