Prevent array size calculation overflows.

author: Clayton Smith <[email protected]> 2016-11-30 13:55:09 -0500
committer: Clayton Smith <[email protected]> 2016-11-30 13:55:09 -0500
commit: acdddb4f1431945e61030a436f4a611307bc4420 (patch)
tree: 5b941142ae8cf7bdb69688867cfa306c5ab6c662 /src/array.c
parent: 8461a31cb491f272524d14a9e54fcc9fae7a22c1 (diff)
download: mruby-acdddb4f1431945e61030a436f4a611307bc4420.tar.gz
mruby-acdddb4f1431945e61030a436f4a611307bc4420.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/src/array.c b/src/array.c
index df037a121..8902f2dda 100644
--- a/src/array.c
+++ b/src/array.c
@@ -118,7 +118,7 @@ ary_modify(mrb_state *mrb, struct RArray *a)
     }
     else {
       mrb_value *ptr, *p;
-      mrb_int len;
+      size_t len;
 
       p = a->ptr;
       len = a->len * sizeof(mrb_value);
@@ -244,6 +244,9 @@ mrb_ary_s_create(mrb_state *mrb, mrb_value self)
 static void
 ary_concat(mrb_state *mrb, struct RArray *a, struct RArray *a2)
 {
+  if (a2->len > ARY_MAX_SIZE - a->len) {
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
+  }
   mrb_int len = a->len + a2->len;
 
   ary_modify(mrb, a);
@@ -559,7 +562,7 @@ static struct RArray*
 ary_dup(mrb_state *mrb, struct RArray *a)
 {
   struct RArray *d = ary_new_capa(mrb, a->len);
-  
+
   ary_replace(mrb, d, a->ptr, a->len);
   return d;
 }
author	Clayton Smith <[email protected]>	2016-11-30 13:55:09 -0500
committer	Clayton Smith <[email protected]>	2016-11-30 13:55:09 -0500
commit	acdddb4f1431945e61030a436f4a611307bc4420 (patch)
tree	5b941142ae8cf7bdb69688867cfa306c5ab6c662 /src/array.c
parent	8461a31cb491f272524d14a9e54fcc9fae7a22c1 (diff)
download	mruby-acdddb4f1431945e61030a436f4a611307bc4420.tar.gz mruby-acdddb4f1431945e61030a436f4a611307bc4420.zip