string.c: check integer overflow in `mrb_str_aset()`.

author: Yukihiro "Matz" Matsumoto <[email protected]> 2021-09-09 19:12:36 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2021-09-09 19:12:36 +0900
commit: 8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d (patch)
tree: bdb7a77617f2b7310c2ba4a421917b495261b5d2 /src
parent: 5777e33c2a2025bd0cbb7984882f16e25c84b774 (diff)
download: mruby-8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d.tar.gz
mruby-8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/string.c b/src/string.c
index 6643b543e..550f24c7a 100644
--- a/src/string.c
+++ b/src/string.c
@@ -1375,7 +1375,10 @@ mrb_str_aset(mrb_state *mrb, mrb_value str, mrb_value indx, mrb_value alen, mrb_
       str_range_to_bytes(str, &beg, &len);
       /* fall through */
     case STR_BYTE_RANGE_CORRECTED:
-      str_replace_partial(mrb, str, beg, beg + len, replace);
+      if (mrb_int_add_overflow(beg, len, &len)) {
+        mrb_raise(mrb, E_RUNTIME_ERROR, "string index too big");
+      }
+      str_replace_partial(mrb, str, beg, len, replace);
   }
 }
author	Yukihiro "Matz" Matsumoto <[email protected]>	2021-09-09 19:12:36 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2021-09-09 19:12:36 +0900
commit	8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d (patch)
tree	bdb7a77617f2b7310c2ba4a421917b495261b5d2 /src
parent	5777e33c2a2025bd0cbb7984882f16e25c84b774 (diff)
download	mruby-8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d.tar.gz mruby-8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d.zip