diff options
author | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2021-09-03 19:40:22 +0900 |
---|---|---|
committer | git <svn-admin@ruby-lang.org> | 2021-11-24 19:58:59 +0900 |
commit | da34f31ad0315b9b8dfb318aafab393aee54968f (patch) | |
tree | 4ee9ce2acf723bb0ba7122024ac3855cb4115d65 /ext/cgi/escape | |
parent | 3454a456d1005dac799279dae42555759b741fc9 (diff) | |
download | ruby-da34f31ad0315b9b8dfb318aafab393aee54968f.tar.gz |
[ruby/cgi] Fix integer overflow
Make use of the check in rb_alloc_tmp_buffer2.
https://hackerone.com/reports/1328463
https://github.com/ruby/cgi/commit/c728632c1c
Diffstat (limited to 'ext/cgi/escape')
-rw-r--r-- | ext/cgi/escape/escape.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c index 3a7837e4df..809f95ef4c 100644 --- a/ext/cgi/escape/escape.c +++ b/ext/cgi/escape/escape.c @@ -36,7 +36,8 @@ static VALUE optimized_escape_html(VALUE str) { VALUE vbuf; - char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN); + typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; + char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); const char *cstr = RSTRING_PTR(str); const char *end = cstr + RSTRING_LEN(str); |