From 80c37b72cf6f57718227076366a651bbc1f73960 Mon Sep 17 00:00:00 2001
From: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 7 Sep 2007 07:40:27 +0000
Subject: 	* string.c (rb_str_splice): integer overflow for length. 
   [ruby-dev:31739]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_6@13395 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 5 +++++
 string.c  | 2 +-
 version.h | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2c25628127..7f88ee4ea5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri Sep  7 16:39:23 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* string.c (rb_str_splice): integer overflow for length.
+	  [ruby-dev:31739]
+
 Fri Sep  7 16:33:23 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* include/ruby/defines.h (flush_register_windows): call "ta 0x03"
diff --git a/string.c b/string.c
index 08c958d8e4..d27b5b4ff6 100644
--- a/string.c
+++ b/string.c
@@ -1647,7 +1647,7 @@ rb_str_splice(str, beg, len, val)
 	}
 	beg += RSTRING(str)->len;
     }
-    if (RSTRING(str)->len < beg + len) {
+    if (RSTRING(str)->len < len || RSTRING(str)->len < beg + len) {
 	len = RSTRING(str)->len - beg;
     }
 
diff --git a/version.h b/version.h
index f227166853..cbf9a89f34 100644
--- a/version.h
+++ b/version.h
@@ -2,7 +2,7 @@
 #define RUBY_RELEASE_DATE "2007-09-07"
 #define RUBY_VERSION_CODE 186
 #define RUBY_RELEASE_CODE 20070907
-#define RUBY_PATCHLEVEL 97
+#define RUBY_PATCHLEVEL 98
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
-- 
cgit v1.2.3