diff options
author | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2010-08-05 03:39:19 +0000 |
---|---|---|
committer | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2010-08-05 03:39:19 +0000 |
commit | ae824807055802a812a23f19cd1a5086223df11d (patch) | |
tree | abbfe40afb841de24e94965ddd9ca96b58319413 | |
parent | a2ebc53ec49b0fe42c3fe91dba13e3400a93ade7 (diff) |
* string.c (str_make_independent_expand): fix buffer overflow
while shrinking.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28863 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | string.c | 3 |
2 files changed, 7 insertions, 1 deletions
@@ -1,3 +1,8 @@ +Thu Aug 5 12:39:14 2010 Nobuyoshi Nakada <nobu@ruby-lang.org> + + * string.c (str_make_independent_expand): fix buffer overflow + while shrinking. + Thu Aug 5 06:42:31 2010 Tanaka Akira <akr@fsij.org> * file.c (realpath_rec): call rb_str_modify before rb_str_set_len. @@ -1271,8 +1271,9 @@ str_make_independent_expand(VALUE str, long expand) ptr = ALLOC_N(char, len+expand+1); if (RSTRING_PTR(str)) { - memcpy(ptr, RSTRING_PTR(str), len); + memcpy(ptr, RSTRING_PTR(str), expand < 0 ? len + expand : len); } + len += expand; STR_SET_NOEMBED(str); ptr[len] = 0; RSTRING(str)->as.heap.ptr = ptr; |