stringio.c: fix index overflow

* ext/stringio/stringio.c (strio_getline): fix pointer index
  overflow.  reported by Guido Vranken <guido AT guidovranken.nl>.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55432 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,8 @@
+Sat Jun 18 08:52:46 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* ext/stringio/stringio.c (strio_getline): fix pointer index
+	  overflow.  reported by Guido Vranken <guido AT guidovranken.nl>.
+
 Thu Jun 16 16:35:35 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* class.c (Init_class_hierarchy): prevent rb_cObject which is the

ext/stringio/stringio.c

@@ -1021,7 +1021,7 @@ strio_getline(int argc, VALUE *argv, struct StringIO *ptr)
     s = RSTRING_PTR(ptr->string);
     e = s + RSTRING_LEN(ptr->string);
     s += ptr->pos;
-    if (limit > 0 && s + limit < e) {
+    if (limit > 0 && (size_t)limit < (size_t)(e - s)) {
 	e = rb_enc_right_char_head(s, s + limit, e, get_enc(ptr));
     }
     if (NIL_P(str)) {

test/stringio/test_stringio.rb

@@ -680,4 +680,16 @@ class TestStringIO < Test::Unit::TestCase
       StringIO.new {}
     end
   end
+
+  def test_overflow
+    limit = (1 << (RbConfig::SIZEOF["size_t"]*8-1)) - 0x10
+    assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+    begin;
+      limit = #{limit}
+      x = ("a"*0x100000)
+      s = StringIO.new(x)
+      s.gets("xxx", limit)
+      assert_equal(0x100000, s.pos)
+    end;
+  end
 end