From da34f31ad0315b9b8dfb318aafab393aee54968f Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Fri, 3 Sep 2021 19:40:22 +0900
Subject: [PATCH] [ruby/cgi] Fix integer overflow

Make use of the check in rb_alloc_tmp_buffer2.

https://hackerone.com/reports/1328463

https://github.com/ruby/cgi/commit/c728632c1c
---
 ext/cgi/escape/escape.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c
index 3a7837e4df..809f95ef4c 100644
--- a/ext/cgi/escape/escape.c
+++ b/ext/cgi/escape/escape.c
@@ -36,7 +36,8 @@ static VALUE
 optimized_escape_html(VALUE str)
 {
     VALUE vbuf;
-    char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN);
+    typedef char escape_buf[HTML_ESCAPE_MAX_LEN];
+    char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str));
     const char *cstr = RSTRING_PTR(str);
     const char *end = cstr + RSTRING_LEN(str);