ruby-changes:69910

https://git.ruby-lang.org/ruby.git/commit/?id=da34f31ad0

From da34f31ad0315b9b8dfb318aafab393aee54968f Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@r...>
Date: Fri, 3 Sep 2021 19:40:22 +0900
Subject: [ruby/cgi] Fix integer overflow

Make use of the check in rb_alloc_tmp_buffer2.

https://hackerone.com/reports/1328463

https://github.com/ruby/cgi/commit/c728632c1c
---
 ext/cgi/escape/escape.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c
index 3a7837e4df9..809f95ef4cc 100644
--- a/ext/cgi/escape/escape.c
+++ b/ext/cgi/escape/escape.c
@@ -36,7 +36,8 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/cgi/escape/escape.c#L36
 optimized_escape_html(VALUE str)
 {
     VALUE vbuf;
-    char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN);
+    typedef char escape_buf[HTML_ESCAPE_MAX_LEN];
+    char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str));
     const char *cstr = RSTRING_PTR(str);
     const char *end = cstr + RSTRING_LEN(str);
 
-- 
cgit v1.2.1


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/