From 6bcf74c4ef3732408a357df6fa433ccc2f975a87 Mon Sep 17 00:00:00 2001
From: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 7 Sep 2007 05:37:05 +0000
Subject: 	* string.c (rb_str_splice): integer overflow for length. 
   [ruby-dev:31739]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_5@13371 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 5 +++++
 string.c  | 2 +-
 version.h | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 777a5ec475..d2b3028382 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri Sep  7 14:32:38 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* string.c (rb_str_splice): integer overflow for length.
+	  [ruby-dev:31739]
+
 Fri Sep  7 14:27:33 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* eval.c (mnew): should preserve noex as safe_level.
diff --git a/string.c b/string.c
index 58fa0362fc..f5de52c152 100644
--- a/string.c
+++ b/string.c
@@ -1644,7 +1644,7 @@ rb_str_splice(str, beg, len, val)
 	}
 	beg += RSTRING(str)->len;
     }
-    if (RSTRING(str)->len < beg + len) {
+    if (RSTRING(str)->len < len || RSTRING(str)->len < beg + len) {
 	len = RSTRING(str)->len - beg;
     }
 
diff --git a/version.h b/version.h
index f4c7420409..589ef26ce5 100644
--- a/version.h
+++ b/version.h
@@ -2,7 +2,7 @@
 #define RUBY_RELEASE_DATE "2007-09-07"
 #define RUBY_VERSION_CODE 185
 #define RUBY_RELEASE_CODE 20070907
-#define RUBY_PATCHLEVEL 105
+#define RUBY_PATCHLEVEL 106
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
-- 
cgit v1.2.3