From 748375309443176e2e2abf0629cf042fc222d4a4 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Tue, 13 Feb 2018 08:48:23 +0900 Subject: Check negative offset in `pack` method; fix #3944 --- mrbgems/mruby-pack/src/pack.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'mrbgems/mruby-pack/src/pack.c') diff --git a/mrbgems/mruby-pack/src/pack.c b/mrbgems/mruby-pack/src/pack.c index 3afb5b962..3b64df2cc 100644 --- a/mrbgems/mruby-pack/src/pack.c +++ b/mrbgems/mruby-pack/src/pack.c @@ -107,6 +107,9 @@ static mrb_value str_len_ensure(mrb_state *mrb, mrb_value str, mrb_int len) { mrb_int n = RSTRING_LEN(str); + if (len < 0) { + mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) integer"); + } if (len > n) { do { n *= 2; @@ -840,7 +843,6 @@ pack_x(mrb_state *mrb, mrb_value src, mrb_value dst, mrb_int didx, long count, u } return count; } - static int unpack_x(mrb_state *mrb, const void *src, int slen, mrb_value ary, int count, unsigned int flags) { @@ -1176,6 +1178,9 @@ mrb_pack_pack(mrb_state *mrb, mrb_value ary) count--; } } + if (ridx < 0) { + mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) template size"); + } } mrb_str_resize(mrb, result, ridx); -- cgit v1.2.3