summaryrefslogtreecommitdiff
path: root/ext/cgi/escape
diff options
context:
space:
mode:
authorNobuyoshi Nakada <nobu@ruby-lang.org>2021-09-03 19:40:22 +0900
committergit <svn-admin@ruby-lang.org>2021-11-24 19:58:59 +0900
commitda34f31ad0315b9b8dfb318aafab393aee54968f (patch)
tree4ee9ce2acf723bb0ba7122024ac3855cb4115d65 /ext/cgi/escape
parent3454a456d1005dac799279dae42555759b741fc9 (diff)
[ruby/cgi] Fix integer overflow
Make use of the check in rb_alloc_tmp_buffer2. https://hackerone.com/reports/1328463 https://github.com/ruby/cgi/commit/c728632c1c
Diffstat (limited to 'ext/cgi/escape')
-rw-r--r--ext/cgi/escape/escape.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c
index 3a7837e4df..809f95ef4c 100644
--- a/ext/cgi/escape/escape.c
+++ b/ext/cgi/escape/escape.c
@@ -36,7 +36,8 @@ static VALUE
optimized_escape_html(VALUE str)
{
VALUE vbuf;
- char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN);
+ typedef char escape_buf[HTML_ESCAPE_MAX_LEN];
+ char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str));
const char *cstr = RSTRING_PTR(str);
const char *end = cstr + RSTRING_LEN(str);