From aaf47cca03c4c7561fd931e0aa1a76adfdb23eba Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Mon, 12 Jan 2026 18:39:15 +0900
Subject: [PATCH] Now onigenc_single_byte_code_to_mbclen checks out-of-bound

---
 sprintf.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sprintf.c b/sprintf.c
index cb266a9841..de88a9f4b3 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -441,7 +441,7 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt)
                 VALUE val = GETARG();
                 VALUE tmp;
                 unsigned int c;
-                int n;
+                int n, encidx;
 
                 tmp = rb_check_string_type(val);
                 if (!NIL_P(tmp)) {
@@ -451,11 +451,13 @@ rb_str_format(int argc, const VALUE *argv, VALUE fmt)
                     goto format_s1;
                 }
                 n = NUM2INT(val);
-                if (n >= 0) n = rb_enc_codelen((c = n), enc);
+                if (n >= 0) {
+                    n = rb_enc_codelen((c = n), enc);
+                    encidx = rb_ascii8bit_appendable_encoding_index(enc, c);
+                }
                 if (n <= 0) {
                     rb_raise(rb_eArgError, "invalid character");
                 }
-                int encidx = rb_ascii8bit_appendable_encoding_index(enc, c);
                 if (encidx >= 0 && encidx != rb_enc_to_index(enc)) {
                     /* special case */
                     rb_enc_associate_index(result, encidx);