Fix more integer overflows.

author: Clayton Smith <[email protected]> 2016-11-30 16:30:30 -0500
committer: Clayton Smith <[email protected]> 2016-12-01 09:08:38 -0500
commit: 2bc3a5fb781056675931c1a3da435c24ad57b4bd (patch)
tree: 6b626b68a9c8d07e93cf468cc233baca47d22c2e /src
parent: 2cca9d368815e9c83a7489c40d69937d68cb43a2 (diff)
download: mruby-2bc3a5fb781056675931c1a3da435c24ad57b4bd.tar.gz
mruby-2bc3a5fb781056675931c1a3da435c24ad57b4bd.zip
1 files changed, 8 insertions, 3 deletions
diff --git a/src/array.c b/src/array.c
index 9013492fb..f6599bd5b 100644
--- a/src/array.c
+++ b/src/array.c
@@ -173,11 +173,13 @@ ary_expand_capa(mrb_state *mrb, struct RArray *a, mrb_int len)
     capa = ARY_DEFAULT_LEN;
   }
   while (capa < len) {
-    capa *= 2;
+    if (capa <= ARY_MAX_SIZE / 2) {
+      capa *= 2;
+    } else {
+      capa = ARY_MAX_SIZE;
+    }
   }
 
-  if (capa > ARY_MAX_SIZE) capa = ARY_MAX_SIZE; /* len <= capa <= ARY_MAX_SIZE */
-
   if (capa > a->aux.capa) {
     mrb_value *expanded_ptr = (mrb_value *)mrb_realloc(mrb, a->ptr, sizeof(mrb_value)*capa);
 
@@ -503,6 +505,9 @@ mrb_ary_unshift_m(mrb_state *mrb, mrb_value self)
   mrb_int len;
 
   mrb_get_args(mrb, "*", &vals, &len);
+  if (len > ARY_MAX_SIZE - a->len) {
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
+  }
   if (ARY_SHARED_P(a)
       && a->aux.shared->refcnt == 1 /* shared only referenced from this array */
       && a->ptr - a->aux.shared->ptr >= len) /* there's room for unshifted item */ {
author	Clayton Smith <[email protected]>	2016-11-30 16:30:30 -0500
committer	Clayton Smith <[email protected]>	2016-12-01 09:08:38 -0500
commit	2bc3a5fb781056675931c1a3da435c24ad57b4bd (patch)
tree	6b626b68a9c8d07e93cf468cc233baca47d22c2e /src
parent	2cca9d368815e9c83a7489c40d69937d68cb43a2 (diff)
download	mruby-2bc3a5fb781056675931c1a3da435c24ad57b4bd.tar.gz mruby-2bc3a5fb781056675931c1a3da435c24ad57b4bd.zip