From 3fb7d2cadc18472ec107b14234933b017a33c14d Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@ruby-lang.org>
Date: Wed, 24 Nov 2021 20:12:15 +0900
Subject:     Fix integer overflow

    Make use of the check in rb_alloc_tmp_buffer2.

    https://hackerone.com/reports/1328463

    When parsing cookies, only decode the values

    Bump version

    Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
    Co-authored-by: Yusuke Endoh <mame@ruby-lang.org>
---
 ext/cgi/escape/escape.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'ext/cgi/escape/escape.c')

diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c
index 77627e2f03..d001eacd90 100644
--- a/ext/cgi/escape/escape.c
+++ b/ext/cgi/escape/escape.c
@@ -36,7 +36,8 @@ static VALUE
 optimized_escape_html(VALUE str)
 {
     VALUE vbuf;
-    char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN);
+    typedef char escape_buf[HTML_ESCAPE_MAX_LEN];
+    char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str));
     const char *cstr = RSTRING_PTR(str);
     const char *end = cstr + RSTRING_LEN(str);
 
-- 
cgit v1.2.3