From 7078fcd9e405b6082542cc0d984c8468f2aa0af3 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Wed, 13 Nov 2013 10:15:57 +0900
Subject: fixnum in irep->pool may overflow

---
 src/load.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/load.c b/src/load.c
index 9aab754c7..7722929d4 100644
--- a/src/load.c
+++ b/src/load.c
@@ -102,7 +102,21 @@ read_irep_record_1(mrb_state *mrb, const uint8_t *bin, uint32_t *len)
       irep->pool[i].type = tt;
       switch (tt) { //pool data
       case MRB_TT_FIXNUM:
-        irep->pool[i].value.i = mrb_fixnum(mrb_str_to_inum(mrb, s, 10, FALSE));
+        {
+          mrb_value v = mrb_str_to_inum(mrb, s, 10, FALSE);
+
+          switch (mrb_type(v)) {
+          case MRB_TT_FIXNUM:
+            irep->pool[i].value.i = mrb_fixnum(v);
+            break;
+          case MRB_TT_FLOAT:
+            irep->pool[i].type = MRB_TT_FLOAT;
+            irep->pool[i].value.f = mrb_float(v);
+          default:
+             /* broken data; should not happen */
+            irep->pool[i].value.i = 0;
+          }
+        }
         break;
 
       case MRB_TT_FLOAT:
-- 
cgit v1.2.3