merge revision(s) 19346c2336053b351673da030b00c704138252d8: [Backport #19754]

	[Bug #19754] Make `IO::Buffer#get_string` check `offset` range
	 (#8016)

	---
	 io_buffer.c                 | 3 +++
	 test/ruby/test_io_buffer.rb | 8 ++++++++
	 2 files changed, 11 insertions(+)

3 files changed, 13 insertions, 2 deletions

diff --git a/io_buffer.c b/io_buffer.c
index 4b806906f2..7d4fa8d330 100644
--- a/io_buffer.c
+++ b/io_buffer.c
@@ -1063,8 +1063,11 @@ rb_io_buffer_free(VALUE self)
 static inline void
 io_buffer_validate_range(struct rb_io_buffer *data, size_t offset, size_t length)
 {
+    if (offset > data->size) {
+        rb_raise(rb_eArgError, "Specified offset exceeds buffer size!");
+    }
     if (offset + length > data->size) {
-        rb_raise(rb_eArgError, "Specified offset+length exceeds data size!");
+        rb_raise(rb_eArgError, "Specified offset+length exceeds buffer size!");
     }
 }
 
diff --git a/test/ruby/test_io_buffer.rb b/test/ruby/test_io_buffer.rb
index fdfea00dfe..c1034efe34 100644
--- a/test/ruby/test_io_buffer.rb
+++ b/test/ruby/test_io_buffer.rb
@@ -227,6 +227,14 @@ class TestIOBuffer < Test::Unit::TestCase
 
     chunk = buffer.get_string(0, message.bytesize, Encoding::BINARY)
     assert_equal Encoding::BINARY, chunk.encoding
+
+    assert_raise_with_message(ArgumentError, /exceeds buffer size/) do
+      buffer.get_string(0, 129)
+    end
+
+    assert_raise_with_message(ArgumentError, /exceeds buffer size/) do
+      buffer.get_string(129)
+    end
   end
 
   # We check that values are correctly round tripped.
diff --git a/version.h b/version.h
index b6c504b132..913c9f82ca 100644
--- a/version.h
+++ b/version.h
@@ -11,7 +11,7 @@
 # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR
 #define RUBY_VERSION_TEENY 4
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 245
+#define RUBY_PATCHLEVEL 246
 
 #define RUBY_RELEASE_YEAR 2023
 #define RUBY_RELEASE_MONTH 11