* string.c (str_make_independent_expand): fix buffer overflow

while shrinking. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28863 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2010-08-05 03:39:19 +0000
committer: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2010-08-05 03:39:19 +0000
commit: ae824807055802a812a23f19cd1a5086223df11d (patch)
tree: abbfe40afb841de24e94965ddd9ca96b58319413
parent: a2ebc53ec49b0fe42c3fe91dba13e3400a93ade7 (diff)
2 files changed, 7 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 45f11b6413..de313392c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu Aug  5 12:39:14 2010  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* string.c (str_make_independent_expand): fix buffer overflow
+	  while shrinking.
+
 Thu Aug  5 06:42:31 2010  Tanaka Akira  <akr@fsij.org>
 
 	* file.c (realpath_rec): call rb_str_modify before rb_str_set_len.
diff --git a/string.c b/string.c
index d27c67a948..865de57271 100644
--- a/string.c
+++ b/string.c
@@ -1271,8 +1271,9 @@ str_make_independent_expand(VALUE str, long expand)
 
     ptr = ALLOC_N(char, len+expand+1);
     if (RSTRING_PTR(str)) {
-	memcpy(ptr, RSTRING_PTR(str), len);
+	memcpy(ptr, RSTRING_PTR(str), expand < 0 ? len + expand : len);
     }
+    len += expand;
     STR_SET_NOEMBED(str);
     ptr[len] = 0;
     RSTRING(str)->as.heap.ptr = ptr;
author	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2010-08-05 03:39:19 +0000
committer	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2010-08-05 03:39:19 +0000
commit	ae824807055802a812a23f19cd1a5086223df11d (patch)
tree	abbfe40afb841de24e94965ddd9ca96b58319413
parent	a2ebc53ec49b0fe42c3fe91dba13e3400a93ade7 (diff)