pack.c: check integer overflow in unpacking BER; fix #5611

author: Yukihiro "Matz" Matsumoto <[email protected]> 2021-12-23 07:56:40 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2021-12-23 07:57:58 +0900
commit: 3b59c95ead70a779c6894f9975228f0443ad488d (patch)
tree: 752a949154ffba646d53a6a1e3f1cc170593cd1c /mrbgems
parent: 42a6872c2b87e97656d07ad6be9d71865554fae7 (diff)
download: mruby-3b59c95ead70a779c6894f9975228f0443ad488d.tar.gz
mruby-3b59c95ead70a779c6894f9975228f0443ad488d.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/mrbgems/mruby-pack/src/pack.c b/mrbgems/mruby-pack/src/pack.c
index f0d4b8d9e..1edaac93b 100644
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -415,6 +415,9 @@ unpack_BER(mrb_state *mrb, const unsigned char *src, int srclen, mrb_value ary,
   const unsigned char *e = p + srclen;
 
   for (i=1; p<e; p++,i++) {
+    if (n > (MRB_INT_MAX>>7)) {
+      mrb_raise(mrb, E_RANGE_ERROR, "BER unpacking 'w' overflow");
+    }
     n <<= 7;
     n |= *p & 0x7f;
     if ((*p & 0x80) == 0) break;
author	Yukihiro "Matz" Matsumoto <[email protected]>	2021-12-23 07:56:40 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2021-12-23 07:57:58 +0900
commit	3b59c95ead70a779c6894f9975228f0443ad488d (patch)
tree	752a949154ffba646d53a6a1e3f1cc170593cd1c /mrbgems
parent	42a6872c2b87e97656d07ad6be9d71865554fae7 (diff)
download	mruby-3b59c95ead70a779c6894f9975228f0443ad488d.tar.gz mruby-3b59c95ead70a779c6894f9975228f0443ad488d.zip