range.c: `len = b - a` may overflow.

author: Yukihiro "Matz" Matsumoto <[email protected]> 2021-09-03 16:29:26 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2021-09-03 16:30:42 +0900
commit: e02350dd024416c80ee51a493501e093501ceee3 (patch)
tree: 9e0b8c59e94f3f9c71b3442ea85b0e96ab6f4156
parent: dc4b60291a5dc4ead9f6211c54f379a1d89a236c (diff)
download: mruby-e02350dd024416c80ee51a493501e093501ceee3.tar.gz
mruby-e02350dd024416c80ee51a493501e093501ceee3.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/src/range.c b/src/range.c
index 8670d398b..7507173b6 100644
--- a/src/range.c
+++ b/src/range.c
@@ -9,6 +9,7 @@
 #include <mruby/range.h>
 #include <mruby/string.h>
 #include <mruby/array.h>
+#include <mruby/numeric.h>
 #include <mruby/presym.h>
 
 #define RANGE_INITIALIZED_FLAG 1
@@ -352,15 +353,17 @@ range_num_to_a(mrb_state *mrb, mrb_value range)
 
   mrb->c->ci->mid = 0;
   if (mrb_nil_p(end)) {
-    mrb->c->ci->mid = 0;
     mrb_raise(mrb, E_RANGE_ERROR, "cannot convert endless range to an array");
   }
   if (mrb_integer_p(beg)) {
     if (mrb_integer_p(end)) {
       mrb_int a = mrb_integer(beg);
       mrb_int b = mrb_integer(end);
-      mrb_int len = b - a;
+      mrb_int len;
 
+      if (mrb_int_sub_overflow(b, a, &len)) {
+        mrb_raise(mrb, E_RANGE_ERROR, "integer range too long");
+      }
       if (!RANGE_EXCL(r)) len++;
       ary = mrb_ary_new_capa(mrb, len);
       for (mrb_int i=0; i<len; i++) {
author	Yukihiro "Matz" Matsumoto <[email protected]>	2021-09-03 16:29:26 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2021-09-03 16:30:42 +0900
commit	e02350dd024416c80ee51a493501e093501ceee3 (patch)
tree	9e0b8c59e94f3f9c71b3442ea85b0e96ab6f4156
parent	dc4b60291a5dc4ead9f6211c54f379a1d89a236c (diff)
download	mruby-e02350dd024416c80ee51a493501e093501ceee3.tar.gz mruby-e02350dd024416c80ee51a493501e093501ceee3.zip