From 3b59c95ead70a779c6894f9975228f0443ad488d Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Thu, 23 Dec 2021 07:56:40 +0900
Subject: pack.c: check integer overflow in unpacking BER; fix #5611

---
 mrbgems/mruby-pack/src/pack.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mrbgems/mruby-pack/src/pack.c b/mrbgems/mruby-pack/src/pack.c
index f0d4b8d9e..1edaac93b 100644
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -415,6 +415,9 @@ unpack_BER(mrb_state *mrb, const unsigned char *src, int srclen, mrb_value ary,
   const unsigned char *e = p + srclen;
 
   for (i=1; p<e; p++,i++) {
+    if (n > (MRB_INT_MAX>>7)) {
+      mrb_raise(mrb, E_RANGE_ERROR, "BER unpacking 'w' overflow");
+    }
     n <<= 7;
     n |= *p & 0x7f;
     if ((*p & 0x80) == 0) break;
-- 
cgit v1.2.3