From c728632c1c09d46cfd4ecbff9caaa3651dd1002a Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Fri, 3 Sep 2021 19:40:22 +0900
Subject: [PATCH] Fix integer overflow

Make use of the check in rb_alloc_tmp_buffer2.

https://hackerone.com/reports/1328463
---
 ext/cgi/escape/escape.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/ext/cgi/escape/escape.c
+++ b/ext/cgi/escape/escape.c
@@ -36,7 +36,8 @@
 optimized_escape_html(VALUE str)
 {
     VALUE vbuf;
-    char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN);
+    typedef char escape_buf[HTML_ESCAPE_MAX_LEN];
+    char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str));
     const char *cstr = RSTRING_PTR(str);
     const char *end = cstr + RSTRING_LEN(str);