From 7357f524beb54ce64c5669afa39e6c68a72cea9b Mon Sep 17 00:00:00 2001
From: naruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 28 Mar 2018 09:26:06 +0000
Subject: [PATCH] pack.c: fix underflow

* pack.c (pack_unpack_internal): get rid of underflow.
  https://hackerone.com/reports/298246

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62975 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 pack.c                 | 2 +-
 test/ruby/test_pack.rb | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/pack.c b/pack.c
index 45b816a590..12f30cb6b0 100644
--- a/pack.c
+++ b/pack.c
@@ -1127,7 +1127,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
 	else if (ISDIGIT(*p)) {
 	    errno = 0;
 	    len = STRTOUL(p, (char**)&p, 10);
-	    if (errno) {
+	    if (len < 0 || errno) {
 		rb_raise(rb_eRangeError, "pack length too big");
 	    }
 	}
diff --git a/test/ruby/test_pack.rb b/test/ruby/test_pack.rb
index 62a7a54e8d..a872bf33c2 100644
--- a/test/ruby/test_pack.rb
+++ b/test/ruby/test_pack.rb
@@ -548,6 +548,9 @@ class TestPack < Test::Unit::TestCase
     assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C"))
     assert_equal([nil], "\x00".unpack("@1C")) # is it OK?
     assert_raise(ArgumentError) { "\x00".unpack("@2C") }
+
+    pos = RbConfig::LIMITS["UINTPTR_MAX"] - 99 # -100
+    assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")}
   end
 
   def test_pack_unpack_percent