Merge pull request #3503 from nobu/bug/sprintf-oob

Fix out-of-bound access

Merge pull request #3503 from nobu/bug/sprintf-oob
Fix out-of-bound access
4b1e5d47 · Yukihiro "Matz" Matsumoto · GitHub · 191ee259 · d8c4fe7b · 4b1e5d47
Commit 4b1e5d47 authored Mar 14, 2017 by Yukihiro "Matz" Matsumoto Committed by GitHub Mar 14, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

mrbgems/mruby-sprintf/src/sprintf.c mrbgems/mruby-sprintf/src/sprintf.c +1 -0

mrbgems/mruby-sprintf/test/sprintf.rb mrbgems/mruby-sprintf/test/sprintf.rb +11 -0

No files found.
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -567,6 +567,7 @@ mrb_str_format(mrb_state *mrb, int argc, const mrb_value *argv, mrb_value fmt)
    mrb_sym id = 0;

    for (t = p; t < end && *t != '%'; t++) ;
+    if (t + 1 == end) ++t;
    PUSH(p, t - p);
    if (t >= end)
      goto sprint_exit; /* end of fmt string */

--- a/mrbgems/mruby-sprintf/test/sprintf.rb
+++ b/mrbgems/mruby-sprintf/test/sprintf.rb
@@ -30,3 +30,14 @@ assert("String#% with invalid chr") do
    end
  end
 end
+
+assert("String#% invalid format") do
+  assert_raise ArgumentError do
+    "%?" % ""
+  end
+end
+
+assert("String#% invalid format shared substring") do
+  fmt = ("x"*30+"%!")[0...-1]
+  assert_equal fmt, sprintf(fmt, "")
+end