merge revision(s) 55054: [Backport #12390]

* string.c (rb_str_modify_expand): check integer overflow. [ruby-core:75592] [Bug #12390] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55426 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-06-15 16:05:04 +0000
committer: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-06-15 16:05:04 +0000
commit: e117afcb70719022a362b0ae3433dddc1944def5 (patch)
tree: f8f1d9405d63249282888176efb06882746021e7
parent: 13f618f1ed08ebe182c3bf2e4948fd3be2a2be3d (diff)
4 files changed, 18 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index ce0d722226..ee5cdd6b58 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu Jun 16 00:42:56 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* string.c (rb_str_modify_expand): check integer overflow.
+	  [ruby-core:75592] [Bug #12390]
+
 Thu Jun 16 00:29:29 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* vm_insnhelper.c (vm_get_ev_const): warn deprecated constant even
diff --git a/string.c b/string.c
index 5625c2bd88..bc27b8cfdd 100644
--- a/string.c
+++ b/string.c
@@ -1820,6 +1820,9 @@ rb_str_modify_expand(VALUE str, long expand)
     else if (expand > 0) {
 	long len = RSTRING_LEN(str);
 	long capa = len + expand;
+	if (expand >= LONG_MAX - len - termlen) {
+	    rb_raise(rb_eArgError, "string size too big");
+	}
 	if (!STR_EMBED_P(str)) {
 	    REALLOC_N(RSTRING(str)->as.heap.ptr, char, capa + termlen);
 	    RSTRING(str)->as.heap.aux.capa = capa;
diff --git a/test/-ext-/string/test_modify_expand.rb b/test/-ext-/string/test_modify_expand.rb
index 5eb7a02b91..d3f5a17037 100644
--- a/test/-ext-/string/test_modify_expand.rb
+++ b/test/-ext-/string/test_modify_expand.rb
@@ -13,4 +13,13 @@ class Test_StringModifyExpand < Test::Unit::TestCase
       s.replace("")
     CMD
   end
+
+  def test_integer_overflow
+    bug12390 = '[ruby-core:75592] [Bug #12390]'
+    s = Bug::String.new
+    long_max = (1 << (8 * RbConfig::SIZEOF['long'] - 1)) - 1
+    assert_raise(ArgumentError, bug12390) {
+      s.modify_expand!(long_max)
+    }
+  end
 end
diff --git a/version.h b/version.h
index 93e79cbea9..a5f3cdc7bf 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.3.2"
 #define RUBY_RELEASE_DATE "2016-06-16"
-#define RUBY_PATCHLEVEL 131
+#define RUBY_PATCHLEVEL 132
 
 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 6
author	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-06-15 16:05:04 +0000
committer	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-06-15 16:05:04 +0000
commit	e117afcb70719022a362b0ae3433dddc1944def5 (patch)
tree	f8f1d9405d63249282888176efb06882746021e7
parent	13f618f1ed08ebe182c3bf2e4948fd3be2a2be3d (diff)