From 0d530b2392585cc535fb905f9ba4467257ef289c Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 28 Aug 2011 06:53:47 +0000
Subject: * ext/date/date_parse.c (date_zone_to_diff): keep a temporary string 
  stored in variable while the contents buffer is beeing used.

* ext/date/date_parse.c (date_zone_to_diff): get rid of out of bounds
  memory read.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33106 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ext/date/date_parse.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'ext/date/date_parse.c')

diff --git a/ext/date/date_parse.c b/ext/date/date_parse.c
index 1214f39781..597c25ac55 100644
--- a/ext/date/date_parse.c
+++ b/ext/date/date_parse.c
@@ -392,10 +392,10 @@ date_zone_to_diff(VALUE str)
 	dl = RSTRING_LEN(str) - (sizeof DST - 1);
 	ds = RSTRING_PTR(str) + dl;
 
-	if (strcmp(ss, STD) == 0) {
+	if (sl >= 0 && strcmp(ss, STD) == 0) {
 	    str = rb_str_new(RSTRING_PTR(str), sl);
 	}
-	else if (strcmp(ds, DST) == 0) {
+	else if (dl >= 0 && strcmp(ds, DST) == 0) {
 	    str = rb_str_new(RSTRING_PTR(str), dl);
 	    dst = 1;
 	}
@@ -409,7 +409,7 @@ date_zone_to_diff(VALUE str)
 	    dl = RSTRING_LEN(str) - (sizeof DST - 1);
 	    ds = RSTRING_PTR(str) + dl;
 
-	    if (strcmp(ds, DST) == 0) {
+	    if (dl >= 0 && strcmp(ds, DST) == 0) {
 		str = rb_str_new(RSTRING_PTR(str), dl);
 		dst = 1;
 	    }
@@ -441,8 +441,10 @@ date_zone_to_diff(VALUE str)
 	    char *s, *p;
 	    VALUE sign;
 	    VALUE hour = Qnil, min = Qnil, sec = Qnil;
+	    VALUE str_orig;
 
 	    s = RSTRING_PTR(str);
+	    str_orig = str;
 
 	    if (strncmp(s, "gmt", 3) == 0 ||
 		strncmp(s, "utc", 3) == 0)
@@ -467,6 +469,7 @@ date_zone_to_diff(VALUE str)
 		    }
 		    else
 			min = rb_str_new2(s);
+		    RB_GC_GUARD(str_orig);
 		    goto num;
 		}
 		if (strpbrk(RSTRING_PTR(str), ",.")) {
-- 
cgit v1.2.3