diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | sprintf.c | 4 | ||||
-rw-r--r-- | test/ruby/test_sprintf.rb | 5 | ||||
-rw-r--r-- | version.h | 2 |
4 files changed, 13 insertions, 3 deletions
@@ -1,3 +1,8 @@ +Tue Dec 27 19:57:51 2016 Nobuyoshi Nakada <nobu@ruby-lang.org> + + * sprintf.c (rb_str_format): fix memory corruption by width underflow. + https://github.com/mruby/mruby/issues/3347 + Tue Dec 27 19:55:10 2016 Nobuyoshi Nakada <nobu@ruby-lang.org> * re.c (rb_reg_regsub): other than regexp has no name references. @@ -689,10 +689,10 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt) CHECK(n); rb_enc_mbcput(c, &buf[blen], enc); blen += n; - FILL(' ', width-1); + if (width > 1) FILL(' ', width-1); } else { - FILL(' ', width-1); + if (width > 1) FILL(' ', width-1); CHECK(n); rb_enc_mbcput(c, &buf[blen], enc); blen += n; diff --git a/test/ruby/test_sprintf.rb b/test/ruby/test_sprintf.rb index d429ef0ddc..3fd4736a54 100644 --- a/test/ruby/test_sprintf.rb +++ b/test/ruby/test_sprintf.rb @@ -421,4 +421,9 @@ class TestSprintf < Test::Unit::TestCase assert_equal(enc, e.message.encoding) end end + + def test_width_underflow + bug = 'https://github.com/mruby/mruby/issues/3347' + assert_equal("!", sprintf("%*c", 0, ?!.ord), bug) + end end @@ -1,6 +1,6 @@ #define RUBY_VERSION "2.2.7" #define RUBY_RELEASE_DATE "2016-12-27" -#define RUBY_PATCHLEVEL 409 +#define RUBY_PATCHLEVEL 410 #define RUBY_RELEASE_YEAR 2016 #define RUBY_RELEASE_MONTH 12 |