From f8180b8963a693d92a2be906a06ef2ffc204c284 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 23 May 2013 08:35:34 +0000
Subject: [PATCH] load.c: fix invalid read

* load.c (loaded_feature_path): fix invalid read by index underflow.
  the beginning of name is also a boundary as well as just after '/'.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40900 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog |  5 +++++
 load.c    | 11 ++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ea80c54e63..798d9dd7c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu May 23 17:35:30 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* load.c (loaded_feature_path): fix invalid read by index underflow.
+	  the beginning of name is also a boundary as well as just after '/'.
+
 Thu May 23 17:21:22 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* gc.c (gc_profile_dump_on): revert r40898.  ok to show the record
diff --git a/load.c b/load.c
index c478f095d7..5bd735a71b 100644
--- a/load.c
+++ b/load.c
@@ -315,7 +315,7 @@ loaded_feature_path(const char *name, long vlen, const char *feature, long len,
 
     if (vlen < len+1) return 0;
     if (!strncmp(name+(vlen-len), feature, len)) {
-	plen = vlen - len - 1;
+	plen = vlen - len;
     }
     else {
 	for (e = name + vlen; name != e && *e != '.' && *e != '/'; --e);
@@ -323,19 +323,20 @@ loaded_feature_path(const char *name, long vlen, const char *feature, long len,
 	    e-name < len ||
 	    strncmp(e-len, feature, len))
 	    return 0;
-	plen = e - name - len - 1;
+	plen = e - name - len;
     }
-    if (name[plen] != '/') {
+    if (plen > 0 && name[plen-1] != '/') {
 	return 0;
     }
-    if (type == 's' ? !IS_DLEXT(&name[plen+len+1]) :
-	type == 'r' ? !IS_RBEXT(&name[plen+len+1]) :
+    if (type == 's' ? !IS_DLEXT(&name[plen+len]) :
+	type == 'r' ? !IS_RBEXT(&name[plen+len]) :
 	0) {
 	return 0;
     }
     /* Now name == "#{prefix}/#{feature}#{ext}" where ext is acceptable
        (possibly empty) and prefix is some string of length plen. */
 
+    if (plen > 0) --plen;	/* exclude '.' */
     for (i = 0; i < RARRAY_LEN(load_path); ++i) {
 	VALUE p = RARRAY_AREF(load_path, i);
 	const char *s = StringValuePtr(p);