2 files changed, 15 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 7d60bdd398..61e7a8929f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Tue Sep 24 17:38:56 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* string.c (rb_str_inspect): get rid of out-of-bound access.
+
+	* string.c (rb_str_inspect): when a UTF-16/32 string doesn't have a
+	  BOM, inspect as a dummy encoding string.
+
 Tue Sep 24 17:15:10 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* enc/encdb.c (ENC_DUMMY_UNICODE): make BOM-encodings dummy.
diff --git a/string.c b/string.c
index 1b64425977..92f15dd294 100644
--- a/string.c
+++ b/string.c
@@ -4735,23 +4735,27 @@ rb_str_inspect(VALUE str)
 
     p = RSTRING_PTR(str); pend = RSTRING_END(str);
     prev = p;
-    if (encidx == ENCINDEX_UTF_16) {
+    if (encidx == ENCINDEX_UTF_16 && p + 2 <= pend) {
 	const unsigned char *q = (const unsigned char *)p;
 	if (q[0] == 0xFE && q[1] == 0xFF)
 	    enc = rb_enc_from_index(ENCINDEX_UTF_16BE);
 	else if (q[0] == 0xFF && q[1] == 0xFE)
 	    enc = rb_enc_from_index(ENCINDEX_UTF_16LE);
-	else
+	else {
+	    enc = rb_ascii8bit_encoding();
 	    unicode_p = 0;
+	}
     }
-    else if (encidx == ENCINDEX_UTF_32) {
+    else if (encidx == ENCINDEX_UTF_32 && p + 4 <= pend) {
 	const unsigned char *q = (const unsigned char *)p;
 	if (q[0] == 0 && q[1] == 0 && q[2] == 0xFE && q[3] == 0xFF)
 	    enc = rb_enc_from_index(ENCINDEX_UTF_32BE);
 	else if (q[3] == 0 && q[2] == 0 && q[1] == 0xFE && q[0] == 0xFF)
 	    enc = rb_enc_from_index(ENCINDEX_UTF_32LE);
-	else
+	else {
+	    enc = rb_ascii8bit_encoding();
 	    unicode_p = 0;
+	}
     }
     while (p < pend) {
 	unsigned int c, cc;