From da652e1827a47c8ee37fab72832ba8324c94911f Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Sat, 26 Jun 2021 01:48:01 +0900
Subject: Check month overflow when marshal

https://hackerone.com/reports/1244185
---
 time.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'time.c')

diff --git a/time.c b/time.c
index 9c23089cfd..8f044e1e59 100644
--- a/time.c
+++ b/time.c
@@ -5251,8 +5251,13 @@ time_mload(VALUE time, VALUE str)
                 year = rb_int_plus(year, year_extend);
             }
         }
+        unsigned int mon = ((int)(p >> 10) & 0xf); /* 0...12 */
+        if (mon >= 12) {
+            mon -= 12;
+            year = addv(year, LONG2FIX(1));
+        }
         vtm.year = year;
-	vtm.mon  = ((int)(p >> 10) & 0xf) + 1;
+	vtm.mon  = mon + 1;
 	vtm.mday = (int)(p >>  5) & 0x1f;
 	vtm.hour = (int) p        & 0x1f;
 	vtm.min  = (int)(s >> 26) & 0x3f;
-- 
cgit v1.2.3