From fc188f1646f3a925f0d5935d92f6a0131323413e Mon Sep 17 00:00:00 2001
From: rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 1 Sep 2017 08:16:38 +0000
Subject: [PATCH] object.c: fix potential oob write in rb_str_to_dbl()

Ensure space for the terminating NUL byte. Note that this code path is
reachable only when Ruby is compiled with SHARABLE_MIDDLE_SUBSTRING=1.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59714 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 object.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/object.c b/object.c
index 378eb3a04e..0f91a1b43e 100644
--- a/object.c
+++ b/object.c
@@ -3302,7 +3302,7 @@ rb_str_to_dbl(VALUE str, int badcheck)
 	    rb_raise(rb_eArgError, "string for Float contains null byte");
 	}
 	if (s[len]) {		/* no sentinel somehow */
-	    char *p =  ALLOCV(v, len);
+	    char *p = ALLOCV(v, (size_t)len + 1);
 	    MEMCPY(p, s, char, len);
 	    p[len] = '\0';
 	    s = p;