Index: ChangeLog
===================================================================
--- ChangeLog	(revision 46805)
+++ ChangeLog	(revision 46806)
@@ -493,6 +493,11 @@
 	* array.c (rb_ary_permutation): `p` is the array of size `r`, as
 	  commented at permute0().  since `n >= r` here, buffer overflow
 	  never happened, just reduce unnecessary allocation though.
+
+Sun Jul 13 22:52:43 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* pack.c (encodes): fix buffer overrun by tail_lf.  Thanks to
+	  Mamoru Tasaka and Tomas Hoger.  [ruby-core:63604] [Bug #10019]
 
 Mon Jul  7 13:05:04 2014  SHIBATA Hiroshi  <shibata.hiroshi@gmail.com>
 
Index: pack.c
===================================================================
--- pack.c	(revision 46805)
+++ pack.c	(revision 46806)
@@ -1063,7 +1063,8 @@
 static void
 encodes(VALUE str, const char *s, long len, int type, int tail_lf)
 {
-    char buff[4096];
+    enum {buff_size = 4096, encoded_unit = 4};
+    char buff[buff_size + 1];	/* +1 for tail_lf */
     long i = 0;
     const char *trans = type == 'u' ? uu_table : b64_table;
     char padding;
@@ -1076,7 +1077,7 @@
 	padding = '=';
     }
     while (len >= 3) {
-        while (len >= 3 && sizeof(buff)-i >= 4) {
+        while (len >= 3 && buff_size-i >= encoded_unit) {
             buff[i++] = trans[077 & (*s >> 2)];
             buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))];
             buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))];
@@ -1084,7 +1085,7 @@
             s += 3;
             len -= 3;
         }
-        if (sizeof(buff)-i < 4) {
+        if (buff_size-i < encoded_unit) {
             rb_str_buf_cat(str, buff, i);
             i = 0;
         }
@@ -1104,6 +1105,7 @@
     }
     if (tail_lf) buff[i++] = '\n';
     rb_str_buf_cat(str, buff, i);
+    if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun");
 }
 
 static const char hex_table[] = "0123456789ABCDEF";
Index: test/ruby/test_pack.rb
===================================================================
--- test/ruby/test_pack.rb	(revision 46805)
+++ test/ruby/test_pack.rb	(revision 46806)
@@ -537,6 +537,14 @@
     assert_equal(["\377"], "/w==\n".unpack("m"))
     assert_equal(["\377\377"], "//8=\n".unpack("m"))
     assert_equal(["\377\377\377"], "////\n".unpack("m"))
+
+    bug10019 = '[ruby-core:63604] [Bug #10019]'
+    size = ((4096-4)/4*3+1)
+    assert_separately(%W[- #{size} #{bug10019}], <<-'end;')
+      size = ARGV.shift.to_i
+      bug = ARGV.shift
+      assert_equal(size, ["a"*size].pack("m#{size+2}").unpack("m")[0].size, bug)
+    end;
   end
 
   def test_pack_unpack_m0
Index: .
===================================================================
--- .	(revision 46805)
+++ .	(revision 46806)

Property changes on: .
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /trunk:r46778