* ext/syck/syck.c (syck_move_tokens): should reset p->cursor or etc

  even if skip == 0. This causes buffer overrun.
  (ex: YAML.load('--- "..' + '\x82\xA0' * 511 + '"'))


git-svn-id: http://svn.ruby-lang.org/repos/ruby/trunk@9878 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 6 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 8f7787a43..66d1310e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Fri Feb  3 15:02:10 2006  Hirokazu Yamamoto  <ocean@m2.ccsnet.ne.jp>
+
+	* ext/syck/syck.c (syck_move_tokens): should reset p->cursor or etc
+	  even if skip == 0. This causes buffer overrun.
+	  (ex: YAML.load('--- "..' + '\x82\xA0' * 511 + '"'))
+
 Fri Feb  3 00:01:31 2006  Hirokazu Yamamoto  <ocean@m2.ccsnet.ne.jp>
 
 	* ext/syck/emitter.c (syck_emitter_write): should not set '\0' on
diff --git a/ext/syck/syck.c b/ext/syck/syck.c
index 33f9bf23e..24a56a5e4 100644
--- a/ext/syck/syck.c
+++ b/ext/syck/syck.c
@@ -410,9 +410,6 @@ syck_move_tokens( SyckParser *p )
         return 0;
 
     skip = p->limit - p->token;
-    if ( skip < 1 )
-        return 0;
-
     if ( ( count = p->token - p->buffer ) )
     {
         S_MEMMOVE( p->buffer, p->token, char, skip );