2 files changed, 14 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index d3ddc2e4ef..173de3c0a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+Fri May  6 15:01:11 2011  URABE Shyouhei  <[email protected]>
+
+	* ext/syck/rubyext.c (mktime_do): avoid buffer overrun, by
+	  silently ignoring lesser significant digits.  Required buffer
+	  length can be computable so you might at first think of
+	  allocating enough memory space on the fly using alloca().  That
+	  is a wrong idea because when using alloca there is always risk
+	  of integer overflow.  A function that accepts outer-process
+	  resources like this should not blindly trust its inputs.  In
+	  this particular case we just want to generate miliseconds
+	  resolution by strtod() so the string in question needs no more
+	  length than what we originally have.  Ignoring lesser
+	  significant digits should suffice I believe.
+
 Fri May  6 14:25:53 2011  Tinco Andringa <[email protected]>
 
 	* ext/syck/rubyext.c (mktime_do): YAML.load time correctly parse
diff --git a/ext/syck/rubyext.c b/ext/syck/rubyext.c
index b7ab817002..970b64ed05 100644
--- a/ext/syck/rubyext.c
+++ b/ext/syck/rubyext.c
@@ -281,12 +281,6 @@ mktime_do(VALUE varg)
         while ( isdigit( *end ) ) end++;
         length = (int)(end - begin) <= padding ? (int)(end - begin) : padding;
         MEMCPY(padded, begin, char, length);
-        length = (int)(end - begin);
-        if (length > padding) {
-          length = length - padding;
-          MEMCPY(padded + offset, begin + padding, char, length);
-        }
-
         usec = strtod(padded, NULL);
     }
     else