Skip to content

Commit

Permalink
Fixes #4556. Java::JavaLang::ArrayIndexOutOfBoundsException in CGI.un…
Browse files Browse the repository at this point in the history
…escapeHTML.

This was ported C code and it works in C because the string has a last \0 char.  Our array is not null byte terminated and we run off the end.  Adding a spec in a separate commit.
enebo committed Apr 5, 2017
1 parent 5301ae0 commit 9506fd2
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion core/src/main/java/org/jruby/ext/cgi/escape/CGIEscape.java
Original file line number Diff line number Diff line change
@@ -171,7 +171,7 @@ static boolean MATCH(byte[] s, int len, int i, byte[] cstrBytes, int cstr) {
cc = ruby_scan_digits(cstrBytes, cstr + i, len - i, 10, clenOverflow);
clen = clenOverflow[0];
overflow = clenOverflow[1] == 1;
} else if ((cstrBytes[cstr + i] == 'x' || cstrBytes[cstr + i] == 'X') && len - ++i >= 2 && ISXDIGIT(cstrBytes, cstr + i)) {
} else if (i < len && (cstrBytes[cstr + i] == 'x' || cstrBytes[cstr + i] == 'X') && len - ++i >= 2 && ISXDIGIT(cstrBytes, cstr + i)) {
int[] clenOverflow = {clen, overflow ? 1 : 0};
cc = ruby_scan_digits(cstrBytes, cstr + i, len - i, 16, clenOverflow);
clen = clenOverflow[0];

0 comments on commit 9506fd2

Please sign in to comment.