[ruby/cgi] Fix integer overflow

Make use of the check in rb_alloc_tmp_buffer2. https://hackerone.com/reports/1328463 https://github.com/ruby/cgi/commit/c728632c1c
2021-09-03 19:40:22 +09:00 · 2021-09-03 19:40:22 +09:00 · da34f31ad0
commit da34f31ad0
parent 3454a456d1
1 changed files with 2 additions and 1 deletions
--- a/ext/cgi/escape/escape.c
+++ b/ext/cgi/escape/escape.c
@ -36,7 +36,8 @@ static VALUE
 optimized_escape_html(VALUE str)
 {
    VALUE vbuf;
-    char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN);
+    typedef char escape_buf[HTML_ESCAPE_MAX_LEN];
+    char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str));
    const char *cstr = RSTRING_PTR(str);
    const char *end = cstr + RSTRING_LEN(str);