ngoto	2016-07-15 22:08:54 +0900 (Fri, 15 Jul 2016)

  New Revision: 55692

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55692

  Log:
    * string.c (str_buf_cat): Fix potential interger overflow of capa.
      In addition, termlen is used instead of +1.

  Modified files:
    trunk/ChangeLog
    trunk/string.c
Index: string.c
===================================================================
--- string.c	(revision 55691)
+++ string.c	(revision 55692)
@@ -2562,6 +2562,7 @@ str_buf_cat(VALUE str, const char *ptr, https://github.com/ruby/ruby/blob/trunk/string.c#L2562
     long capa, total, olen, off = -1;
     char *sptr;
     const int termlen = TERM_LEN(str);
+    assert(termlen < RSTRING_EMBED_LEN_MAX + 1); /* < (LONG_MAX/2) */
 
     RSTRING_GETMEM(str, sptr, olen);
     if (ptr >= sptr && ptr <= sptr + olen) {
@@ -2586,11 +2587,11 @@ str_buf_cat(VALUE str, const char *ptr, https://github.com/ruby/ruby/blob/trunk/string.c#L2587
     if (capa <= total) {
 	if (LIKELY(capa > 0)) {
 	    while (total > capa) {
-		if (capa > LONG_MAX / 2) {
+		if (capa > LONG_MAX / 2 - termlen) {
 		    capa = (total + 4095) / 4096 * 4096;
 		    break;
 		}
-		capa = 2 * capa + 1;
+		capa = 2 * capa + termlen; /* == 2*(capa+termlen)-termlen */
 	    }
 	}
 	else {
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 55691)
+++ ChangeLog	(revision 55692)
@@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Fri Jul 15 22:05:13 2016  Naohisa Goto  <ngotogenome@g...>
+
+	* string.c (str_buf_cat): Fix potential interger overflow of capa.
+	  In addition, termlen is used instead of +1.
+
 Fri Jul 15 21:30:38 2016  Naohisa Goto  <ngotogenome@g...>
 
 	* string.c (str_buf_cat): Fix capa size for embed string.

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/