Avoid integer overflow in sprintf(); fix #3439

This issue was reported by https://hackerone.com/aerodudrizzt

Avoid integer overflow in sprintf(); fix #3439
This issue was reported by https://hackerone.com/aerodudrizzt
ff03a9a6 · Yukihiro "Matz" Matsumoto · 642ab8ec · ff03a9a6
Commit ff03a9a6 authored Feb 11, 2017 by Yukihiro "Matz" Matsumoto
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

mrbgems/mruby-sprintf/src/sprintf.c mrbgems/mruby-sprintf/src/sprintf.c +2 -1

No files found.
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -116,8 +116,9 @@ mrb_fix2binstr(mrb_state *mrb, mrb_value x, int base)
 #define CHECK(l) do {\
 /*  int cr = ENC_CODERANGE(result);*/\
-  while (blen + (l) >= bsiz) {\
+  while ((l) >= bsiz - blen) {\
    bsiz*=2;\
+    if (bsiz < 0) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \
  }\
  mrb_str_resize(mrb, result, bsiz);\
 /*  ENC_CODERANGE_SET(result, cr);*/\