[ruby/erb] Fix integer overflow

Fix https://github.com/ruby/erb/pull/87

https://github.com/ruby/erb/commit/75764f022b

2 files changed, 5 insertions, 2 deletions

diff --git a/ext/erb/escape/escape.c b/ext/erb/escape/escape.c
index a46fe236c0..9437e9694e 100644
--- a/ext/erb/escape/escape.c
+++ b/ext/erb/escape/escape.c
@@ -49,7 +49,7 @@ optimized_escape_html(VALUE str)
         const unsigned char c = *cstr++;
         uint8_t len = html_escape_table[c].len;
         if (len) {
-            uint16_t segment_len = cstr - segment_start - 1;
+            size_t segment_len = cstr - segment_start - 1;
             if (!buf) {
                 buf = ALLOCV_N(char, vbuf, escaped_length(str));
                 dest = buf;
@@ -64,7 +64,7 @@ optimized_escape_html(VALUE str)
         }
     }
     if (buf) {
-        uint16_t segment_len = cstr - segment_start;
+        size_t segment_len = cstr - segment_start;
         if (segment_len) {
             memcpy(dest, segment_start, segment_len);
             dest += segment_len;
diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb
index 24f6cc5d89..c0df690cce 100644
--- a/test/erb/test_erb.rb
+++ b/test/erb/test_erb.rb
@@ -77,6 +77,9 @@ class TestERB < Test::Unit::TestCase
 
     assert_equal("", ERB::Util.html_escape(nil))
     assert_equal("123", ERB::Util.html_escape(123))
+
+    assert_equal(65536+5, ERB::Util.html_escape("x"*65536 + "&").size)
+    assert_equal(65536+5, ERB::Util.html_escape("&" + "x"*65536).size)
   end
 
   def test_html_escape_to_s