merge revision(s) 54304: [Backport #12223]

* sprintf.c (rb_str_format): fix buffer overflow, length must be greater than precision. reported by William Bowling <will AT wbowling.info>. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54505 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-04-06 16:15:59 +0000
committer: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-04-06 16:15:59 +0000
commit: 58f77932a45873d691d9dab1f042da45822bd991 (patch)
tree: 6979e901bb0087cb34862042acad2dd13a9a1cac /sprintf.c
parent: d309921ea54b54086ca20e57ab188528ef63023f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/sprintf.c b/sprintf.c
index 84d5fd112b..a93ba8ffaf 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -1067,7 +1067,7 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt)
 		}
 		val = rb_obj_as_string(num);
 		len = RSTRING_LEN(val) + zero;
-		if (prec >= len) ++len; /* integer part 0 */
+		if (prec >= len) len = prec + 1; /* integer part 0 */
 		if (sign || (flags&FSPACE)) ++len;
 		if (prec > 0) ++len; /* period */
 		CHECK(len > width ? len : width);
author	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-04-06 16:15:59 +0000
committer	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-04-06 16:15:59 +0000
commit	58f77932a45873d691d9dab1f042da45822bd991 (patch)
tree	6979e901bb0087cb34862042acad2dd13a9a1cac /sprintf.c
parent	d309921ea54b54086ca20e57ab188528ef63023f (diff)