Fixes #4556. Java::JavaLang::ArrayIndexOutOfBoundsException in CGI.un…

…escapeHTML. This was ported C code and it works in C because the string has a last \0 char. Our array is not null byte terminated and we run off the end. Adding a spec in a separate commit.
jruby · Apr 5, 2017 · 9506fd2 · 9506fd2
1 parent 5301ae0
commit 9506fd2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/src/main/java/org/jruby/ext/cgi/escape/CGIEscape.java b/core/src/main/java/org/jruby/ext/cgi/escape/CGIEscape.java
@@ -171,7 +171,7 @@ static boolean MATCH(byte[] s, int len, int i, byte[] cstrBytes, int cstr) {
                         cc = ruby_scan_digits(cstrBytes, cstr + i, len - i, 10, clenOverflow);
                         clen = clenOverflow[0];
                         overflow = clenOverflow[1] == 1;
-                    } else if ((cstrBytes[cstr + i] == 'x' || cstrBytes[cstr + i] == 'X') && len - ++i >= 2 && ISXDIGIT(cstrBytes, cstr + i)) {
+                    } else if (i < len && (cstrBytes[cstr + i] == 'x' || cstrBytes[cstr + i] == 'X') && len - ++i >= 2 && ISXDIGIT(cstrBytes, cstr + i)) {
                         int[] clenOverflow = {clen, overflow ? 1 : 0};
                         cc = ruby_scan_digits(cstrBytes, cstr + i, len - i, 16, clenOverflow);
                         clen = clenOverflow[0];