diff options
| author | Yukihiro "Matz" Matsumoto <[email protected]> | 2021-09-09 19:12:59 +0900 |
|---|---|---|
| committer | Yukihiro "Matz" Matsumoto <[email protected]> | 2021-09-09 19:12:59 +0900 |
| commit | 7e612b1c892356f756635cdfb2df701c53d31052 (patch) | |
| tree | 47da886955066ff54e35bdd023b97c7a6af35e72 /src | |
| parent | 8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d (diff) | |
| download | mruby-7e612b1c892356f756635cdfb2df701c53d31052.tar.gz mruby-7e612b1c892356f756635cdfb2df701c53d31052.zip | |
string.c: check integer overflow in `str_replace_partial`.
Diffstat (limited to 'src')
| -rw-r--r-- | src/string.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/string.c b/src/string.c index 550f24c7a..ac0f4a920 100644 --- a/src/string.c +++ b/src/string.c @@ -1243,9 +1243,7 @@ str_replace_partial(mrb_state *mrb, mrb_value src, mrb_int pos, mrb_int end, mrb } replen = (mrb_nil_p(rep) ? 0 : RSTRING_LEN(rep)); - newlen = replen + (len - (end - pos)); - - if (newlen >= MRB_SSIZE_MAX || newlen < replen /* overflowed */) { + if (mrb_int_add_overflow(replen, len - (end - pos), &newlen) || newlen >= MRB_SSIZE_MAX) { mrb_raise(mrb, E_RUNTIME_ERROR, "string size too big"); } |