date_strftime.c: check precision

* ext/date/date_strftime.c (date_strftime_with_tmx): reject too
  large precision to get rid of buffer overflow.
  reported by Guido Vranken <guido AT guidovranken.nl>.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55410 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 7 insertions, 2 deletions

diff --git a/ext/date/date_strftime.c b/ext/date/date_strftime.c
index 20931a3124..9d8167b612 100644
--- a/ext/date/date_strftime.c
+++ b/ext/date/date_strftime.c
@@ -48,7 +48,7 @@ downcase(char *s, size_t i)
 /* strftime --- produce formatted time */
 
 static size_t
-date_strftime_with_tmx(char *s, size_t maxsize, const char *format,
+date_strftime_with_tmx(char *s, const size_t maxsize, const char *format,
 		       const struct tmx *tmx)
 {
     char *endp = s + maxsize;
@@ -575,7 +575,12 @@ date_strftime_with_tmx(char *s, size_t maxsize, const char *format,
 	  case '5': case '6':  case '7': case '8': case '9':
 	    {
 		char *e;
-		precision = (int)strtoul(format, &e, 10);
+		unsigned long prec = strtoul(format, &e, 10);
+		if (prec > INT_MAX || prec > maxsize) {
+		    errno = ERANGE;
+		    return 0;
+		}
+		precision = (int)prec;
 		format = e - 1;
 		goto again;
 	    }