Check negative offset in `pack` method; fix #3944

author: Yukihiro "Matz" Matsumoto <[email protected]> 2018-02-13 08:48:23 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2018-02-13 08:48:23 +0900
commit: 748375309443176e2e2abf0629cf042fc222d4a4 (patch)
tree: 3045e51e3d608a99a0be7b2e28557950092a3812 /mrbgems/mruby-pack/src
parent: c5ec37a8ab2366c0b2bb638b28de7f05a5efc51a (diff)
download: mruby-748375309443176e2e2abf0629cf042fc222d4a4.tar.gz
mruby-748375309443176e2e2abf0629cf042fc222d4a4.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/mrbgems/mruby-pack/src/pack.c b/mrbgems/mruby-pack/src/pack.c
index 3afb5b962..3b64df2cc 100644
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -107,6 +107,9 @@ static mrb_value
 str_len_ensure(mrb_state *mrb, mrb_value str, mrb_int len)
 {
   mrb_int n = RSTRING_LEN(str);
+  if (len < 0) {
+    mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) integer");
+  }
   if (len > n) {
     do {
       n *= 2;
@@ -840,7 +843,6 @@ pack_x(mrb_state *mrb, mrb_value src, mrb_value dst, mrb_int didx, long count, u
   }
   return count;
 }
-
 static int
 unpack_x(mrb_state *mrb, const void *src, int slen, mrb_value ary, int count, unsigned int flags)
 {
@@ -1176,6 +1178,9 @@ mrb_pack_pack(mrb_state *mrb, mrb_value ary)
         count--;
       }
     }
+    if (ridx < 0) {
+      mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) template size");
+    }
   }
 
   mrb_str_resize(mrb, result, ridx);
author	Yukihiro "Matz" Matsumoto <[email protected]>	2018-02-13 08:48:23 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2018-02-13 08:48:23 +0900
commit	748375309443176e2e2abf0629cf042fc222d4a4 (patch)
tree	3045e51e3d608a99a0be7b2e28557950092a3812 /mrbgems/mruby-pack/src
parent	c5ec37a8ab2366c0b2bb638b28de7f05a5efc51a (diff)
download	mruby-748375309443176e2e2abf0629cf042fc222d4a4.tar.gz mruby-748375309443176e2e2abf0629cf042fc222d4a4.zip