From ae824807055802a812a23f19cd1a5086223df11d Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 5 Aug 2010 03:39:19 +0000
Subject: [PATCH] * string.c (str_make_independent_expand): fix buffer overflow
   while shrinking.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28863 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 5 +++++
 string.c  | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 45f11b6413..de313392c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu Aug  5 12:39:14 2010  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* string.c (str_make_independent_expand): fix buffer overflow
+	  while shrinking.
+
 Thu Aug  5 06:42:31 2010  Tanaka Akira  <akr@fsij.org>
 
 	* file.c (realpath_rec): call rb_str_modify before rb_str_set_len.
diff --git a/string.c b/string.c
index d27c67a948..865de57271 100644
--- a/string.c
+++ b/string.c
@@ -1271,8 +1271,9 @@ str_make_independent_expand(VALUE str, long expand)
 
     ptr = ALLOC_N(char, len+expand+1);
     if (RSTRING_PTR(str)) {
-	memcpy(ptr, RSTRING_PTR(str), len);
+	memcpy(ptr, RSTRING_PTR(str), expand < 0 ? len + expand : len);
     }
+    len += expand;
     STR_SET_NOEMBED(str);
     ptr[len] = 0;
     RSTRING(str)->as.heap.ptr = ptr;