Fixes #4605. CGI.unescapeHTML => Java::JavaLang::ArrayIndexOutOfBound…

…sException One more bounds check. C has \0 so it can ask one char past len whereas we need to guard against it. I think this is the last one but since I audited the code after the last similar bug fix and did not notice this issue so who knows? :)
jruby · May 11, 2017 · c7dfb2d · c7dfb2d
1 parent e143db6
commit c7dfb2d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/src/main/java/org/jruby/ext/cgi/escape/CGIEscape.java b/core/src/main/java/org/jruby/ext/cgi/escape/CGIEscape.java
@@ -178,7 +178,7 @@ static boolean MATCH(byte[] s, int len, int i, byte[] cstrBytes, int cstr) {
                         overflow = clenOverflow[1] == 1;
                     } else continue;
                     i += clen;
-                    if (overflow || cc >= charlimit || cstrBytes[cstr + i] != ';') continue;
+                    if (overflow || cc >= charlimit || i >= len || cstrBytes[cstr + i] != ';') continue;
                     if (dest == null) {
                         dest = RubyString.newStringLight(runtime, len);
                     }