From 63fd7967b205604ce39b0b65e1ff1aff9b6f968f Mon Sep 17 00:00:00 2001
From: mwilliams <mwilliams@fb.com>
Date: Tue, 19 Mar 2013 07:47:54 -0700
Subject: [PATCH] Fix StringBuffer::resize()

capacity doesnt include the terminating null, so len is
allowed to grow to capacity (not capacity - 1).
---
 hphp/runtime/base/util/string_buffer.cpp | 4 ++--
 hphp/test/vm/sb_overflow.php             | 8 ++++++++
 hphp/test/vm/sb_overflow.php.exp         | 1 +
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 hphp/test/vm/sb_overflow.php
 create mode 100644 hphp/test/vm/sb_overflow.php.exp

diff --git a/hphp/runtime/base/util/string_buffer.cpp b/hphp/runtime/base/util/string_buffer.cpp
index 762b0949a..e0c7f525a 100644
--- a/hphp/runtime/base/util/string_buffer.cpp
+++ b/hphp/runtime/base/util/string_buffer.cpp
@@ -150,8 +150,8 @@ void StringBuffer::release() {
 }
 
 void StringBuffer::resize(int size) {
-  assert(size >= 0 && size < m_cap);
-  if (size >= 0 && size < m_cap) {
+  assert(size >= 0 && size <= m_cap);
+  if (size >= 0 && size <= m_cap) {
     m_len = size;
   }
 }
diff --git a/hphp/test/vm/sb_overflow.php b/hphp/test/vm/sb_overflow.php
new file mode 100644
index 000000000..03dfeb087
--- /dev/null
+++ b/hphp/test/vm/sb_overflow.php
@@ -0,0 +1,8 @@
+<?php
+
+var_dump(iconv_mime_decode(
+           '=?utf-8?Q?...=20.....=3A=20...=20.....=20....=20'.
+           '.......=20...=20.....=2C=20....=20.......=E2=80=99s'.
+           '=20....=20......=20..=20...=E2=80=99s=20....=20.....'.
+           '=3F=2C=20...=20.......=20..=20.......=20...'.
+           '=20........?=', 2, 'UTF-8'));
diff --git a/hphp/test/vm/sb_overflow.php.exp b/hphp/test/vm/sb_overflow.php.exp
new file mode 100644
index 000000000..8dc264728
--- /dev/null
+++ b/hphp/test/vm/sb_overflow.php.exp
@@ -0,0 +1 @@
+string(133) "... .....: ... ..... .... ....... ... ....., .... .......’s .... ...... .. ...’s .... .....?, ... ....... .. ....... ... ........"