merge revision(s) 57108: [Backport #13049]

	sprintf.c: fix width underflow

	* sprintf.c (rb_str_format): fix memory corruption by width
  underflow.  https://github.com/mruby/mruby/issues/3347

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@57219 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

4 files changed, 13 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 7018952bed..19d20e7047 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Tue Dec 27 19:57:51 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* sprintf.c (rb_str_format): fix memory corruption by width underflow.
+	  https://github.com/mruby/mruby/issues/3347
+
 Tue Dec 27 19:55:10 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	 * re.c (rb_reg_regsub): other than regexp has no name references.
diff --git a/sprintf.c b/sprintf.c
index d3f308e1b1..70c7cceb14 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -689,10 +689,10 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt)
 		    CHECK(n);
 		    rb_enc_mbcput(c, &buf[blen], enc);
 		    blen += n;
-		    FILL(' ', width-1);
+		    if (width > 1) FILL(' ', width-1);
 		}
 		else {
-		    FILL(' ', width-1);
+		    if (width > 1) FILL(' ', width-1);
 		    CHECK(n);
 		    rb_enc_mbcput(c, &buf[blen], enc);
 		    blen += n;
diff --git a/test/ruby/test_sprintf.rb b/test/ruby/test_sprintf.rb
index d429ef0ddc..3fd4736a54 100644
--- a/test/ruby/test_sprintf.rb
+++ b/test/ruby/test_sprintf.rb
@@ -421,4 +421,9 @@ class TestSprintf < Test::Unit::TestCase
       assert_equal(enc, e.message.encoding)
     end
   end
+
+  def test_width_underflow
+    bug = 'https://github.com/mruby/mruby/issues/3347'
+    assert_equal("!", sprintf("%*c", 0, ?!.ord), bug)
+  end
 end
diff --git a/version.h b/version.h
index e5a6bb061b..9e94d611ea 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.2.7"
 #define RUBY_RELEASE_DATE "2016-12-27"
-#define RUBY_PATCHLEVEL 409
+#define RUBY_PATCHLEVEL 410
 
 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 12