From 8f93c59ecab7b7279a78324db869f1cac78319d9 Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 30 Mar 2016 20:16:19 +0000
Subject: merge revision(s) 54304: [Backport #12223]

	* sprintf.c (rb_str_format): fix buffer overflow, length must be
	  greater than precision.  reported by William Bowling <will AT
	  wbowling.info>.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@54443 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 sprintf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sprintf.c')

diff --git a/sprintf.c b/sprintf.c
index 355b4adf00..80829a871c 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -1055,7 +1055,7 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt)
 		}
 		val = rb_obj_as_string(num);
 		len = RSTRING_LEN(val) + zero;
-		if (prec >= len) ++len; /* integer part 0 */
+		if (prec >= len) len = prec + 1; /* integer part 0 */
 		if (sign || (flags&FSPACE)) ++len;
 		if (prec > 0) ++len; /* period */
 		CHECK(len > width ? len : width);
-- 
cgit v1.2.3