Check negative offset in `pack` method; fix #3944

1 files changed, 6 insertions, 1 deletions

diff --git a/mrbgems/mruby-pack/src/pack.c b/mrbgems/mruby-pack/src/pack.c
index 3afb5b962..3b64df2cc 100644
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -107,6 +107,9 @@ static mrb_value
 str_len_ensure(mrb_state *mrb, mrb_value str, mrb_int len)
 {
   mrb_int n = RSTRING_LEN(str);
+  if (len < 0) {
+    mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) integer");
+  }
   if (len > n) {
     do {
       n *= 2;
@@ -840,7 +843,6 @@ pack_x(mrb_state *mrb, mrb_value src, mrb_value dst, mrb_int didx, long count, u
   }
   return count;
 }
-
 static int
 unpack_x(mrb_state *mrb, const void *src, int slen, mrb_value ary, int count, unsigned int flags)
 {
@@ -1176,6 +1178,9 @@ mrb_pack_pack(mrb_state *mrb, mrb_value ary)
         count--;
       }
     }
+    if (ridx < 0) {
+      mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) template size");
+    }
   }
 
   mrb_str_resize(mrb, result, ridx);