Merge pull request #3309 from clayton-shopify/fix-array-size-2

Prevent array size calculation overflows.
author: Yukihiro "Matz" Matsumoto <[email protected]> 2016-12-01 11:46:57 +0900
committer: GitHub <[email protected]> 2016-12-01 11:46:57 +0900
commit: 61ac564c99ab07f01f1af2809493103fc5216a85 (patch)
tree: 5a20661a9b16d5a475d2cda4921e490d65489e74 /src
parent: c37c255f191345a1e883222cdb70d09862f33ac8 (diff)
parent: acdddb4f1431945e61030a436f4a611307bc4420 (diff)
download: mruby-61ac564c99ab07f01f1af2809493103fc5216a85.tar.gz
mruby-61ac564c99ab07f01f1af2809493103fc5216a85.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/src/array.c b/src/array.c
index df037a121..8902f2dda 100644
--- a/src/array.c
+++ b/src/array.c
@@ -118,7 +118,7 @@ ary_modify(mrb_state *mrb, struct RArray *a)
     }
     else {
       mrb_value *ptr, *p;
-      mrb_int len;
+      size_t len;
 
       p = a->ptr;
       len = a->len * sizeof(mrb_value);
@@ -244,6 +244,9 @@ mrb_ary_s_create(mrb_state *mrb, mrb_value self)
 static void
 ary_concat(mrb_state *mrb, struct RArray *a, struct RArray *a2)
 {
+  if (a2->len > ARY_MAX_SIZE - a->len) {
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
+  }
   mrb_int len = a->len + a2->len;
 
   ary_modify(mrb, a);
@@ -559,7 +562,7 @@ static struct RArray*
 ary_dup(mrb_state *mrb, struct RArray *a)
 {
   struct RArray *d = ary_new_capa(mrb, a->len);
-  
+
   ary_replace(mrb, d, a->ptr, a->len);
   return d;
 }
author	Yukihiro "Matz" Matsumoto <[email protected]>	2016-12-01 11:46:57 +0900
committer	GitHub <[email protected]>	2016-12-01 11:46:57 +0900
commit	61ac564c99ab07f01f1af2809493103fc5216a85 (patch)
tree	5a20661a9b16d5a475d2cda4921e490d65489e74 /src
parent	c37c255f191345a1e883222cdb70d09862f33ac8 (diff)
parent	acdddb4f1431945e61030a436f4a611307bc4420 (diff)
download	mruby-61ac564c99ab07f01f1af2809493103fc5216a85.tar.gz mruby-61ac564c99ab07f01f1af2809493103fc5216a85.zip