From 1457ee2ce4582456a7226fe81b817abb9548813e Mon Sep 17 00:00:00 2001
From: akr <akr@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 26 Jun 2013 03:49:45 +0000
Subject: [PATCH] * bignum.c (bigxor_int): Fix a buffer over read.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@41640 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog |  4 ++++
 bignum.c  | 27 +++++++++++++++++----------
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 84948c2957..d908e2153d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Wed Jun 26 12:48:22 2013  Tanaka Akira  <akr@fsij.org>
+
+	* bignum.c (bigxor_int): Fix a buffer over read.
+
 Wed Jun 26 12:13:12 2013  Tanaka Akira  <akr@fsij.org>
 
 	* bignum.c (bigand_int): Consider negative values.
diff --git a/bignum.c b/bignum.c
index ce0706631a..4b926160f5 100644
--- a/bignum.c
+++ b/bignum.c
@@ -4873,6 +4873,10 @@ bigxor_int(VALUE x, long y)
     sign = (y >= 0) ? 1 : 0;
     xds = BDIGITS(x);
     zn = xn = RBIGNUM_LEN(x);
+#if SIZEOF_BDIGITS < SIZEOF_LONG
+    if (zn < bdigit_roomof(SIZEOF_LONG))
+        zn = bdigit_roomof(SIZEOF_LONG);
+#endif
     z = bignew(zn, !(RBIGNUM_SIGN(x) ^ sign));
     zds = BDIGITS(z);
 
@@ -4880,19 +4884,22 @@ bigxor_int(VALUE x, long y)
     i = 1;
     zds[0] = xds[0] ^ y;
 #else
-    {
-	long num = y;
-
-	for (i=0; i<bdigit_roomof(SIZEOF_LONG); i++) {
-	    zds[i] = xds[i] ^ BIGLO(num);
-	    num = BIGDN(num);
-	}
+    for (i = 0; i < xn; i++) {
+        zds[i] = xds[i] ^ BIGLO(y);
+        y = BIGDN(y);
+    }
+    for (; i < zn; i++) {
+        zds[i] = (RBIGNUM_SIGN(x) ? 0 : BDIGMAX) ^ BIGLO(y);
+        y = BIGDN(y);
     }
 #endif
-    while (i < xn) {
-	zds[i] = sign?xds[i]:BIGLO(~xds[i]);
-	i++;
+    for (; i < xn; i++) {
+        zds[i] = sign ? xds[i] : BIGLO(~xds[i]);
     }
+    for (; i < zn; i++) {
+        zds[i] = sign ^ RBIGNUM_SIGN(x) ? BDIGMAX : 0;
+    }
+
     if (!RBIGNUM_SIGN(z)) get2comp(z);
     return bignorm(z);
 }