summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--ext/stringio/stringio.c2
-rw-r--r--test/stringio/test_stringio.rb12
3 files changed, 18 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 27aa83aba1..914b57c10d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Sat Jun 18 08:52:46 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
+
+ * ext/stringio/stringio.c (strio_getline): fix pointer index
+ overflow. reported by Guido Vranken <guido AT guidovranken.nl>.
+
Thu Jun 16 16:35:35 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
* class.c (Init_class_hierarchy): prevent rb_cObject which is the
diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
index 4fdc4df51e..f35c702d0a 100644
--- a/ext/stringio/stringio.c
+++ b/ext/stringio/stringio.c
@@ -1021,7 +1021,7 @@ strio_getline(int argc, VALUE *argv, struct StringIO *ptr)
s = RSTRING_PTR(ptr->string);
e = s + RSTRING_LEN(ptr->string);
s += ptr->pos;
- if (limit > 0 && s + limit < e) {
+ if (limit > 0 && (size_t)limit < (size_t)(e - s)) {
e = rb_enc_right_char_head(s, s + limit, e, get_enc(ptr));
}
if (NIL_P(str)) {
diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
index bf3a9eeb1b..ce84800d4b 100644
--- a/test/stringio/test_stringio.rb
+++ b/test/stringio/test_stringio.rb
@@ -680,4 +680,16 @@ class TestStringIO < Test::Unit::TestCase
StringIO.new {}
end
end
+
+ def test_overflow
+ limit = (1 << (RbConfig::SIZEOF["size_t"]*8-1)) - 0x10
+ assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+ begin;
+ limit = #{limit}
+ x = ("a"*0x100000)
+ s = StringIO.new(x)
+ s.gets("xxx", limit)
+ assert_equal(0x100000, s.pos)
+ end;
+ end
end