From 19346c2336053b351673da030b00c704138252d8 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Wed, 13 Sep 2023 06:45:26 +0900
Subject: [PATCH] [Bug #19754] Make `IO::Buffer#get_string` check `offset`
 range (#8016)

---
 io_buffer.c                 | 3 +++
 test/ruby/test_io_buffer.rb | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/io_buffer.c b/io_buffer.c
index d987b8fa38..6b5d5ee714 100644
--- a/io_buffer.c
+++ b/io_buffer.c
@@ -1156,6 +1156,9 @@ VALUE rb_io_buffer_free_locked(VALUE self)
 static inline void
 io_buffer_validate_range(struct rb_io_buffer *buffer, size_t offset, size_t length)
 {
+    if (offset > buffer->size) {
+        rb_raise(rb_eArgError, "Specified offset exceeds buffer size!");
+    }
     if (offset + length > buffer->size) {
         rb_raise(rb_eArgError, "Specified offset+length exceeds buffer size!");
     }
diff --git a/test/ruby/test_io_buffer.rb b/test/ruby/test_io_buffer.rb
index 75ec4016fa..c3ab09f27e 100644
--- a/test/ruby/test_io_buffer.rb
+++ b/test/ruby/test_io_buffer.rb
@@ -251,6 +251,14 @@ class TestIOBuffer < Test::Unit::TestCase
 
     chunk = buffer.get_string(0, message.bytesize, Encoding::BINARY)
     assert_equal Encoding::BINARY, chunk.encoding
+
+    assert_raise_with_message(ArgumentError, /exceeds buffer size/) do
+      buffer.get_string(0, 129)
+    end
+
+    assert_raise_with_message(ArgumentError, /exceeds buffer size/) do
+      buffer.get_string(129)
+    end
   end
 
   # We check that values are correctly round tripped.