From 4c1494d58fbccbd6363060cadfc8420480bf87e8 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Fri, 9 Feb 2018 12:55:13 +0900
Subject: Check if `mruby-pack` template count overflow; fix #3942

---
 mrbgems/mruby-pack/src/pack.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'mrbgems/mruby-pack/src')

diff --git a/mrbgems/mruby-pack/src/pack.c b/mrbgems/mruby-pack/src/pack.c
index ceb862d3f..30139fb74 100644
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -1050,6 +1050,9 @@ alias:
       count = ch - '0';
       while (tmpl->idx < tlen && isdigit(tptr[tmpl->idx])) {
         count = count * 10 + (tptr[tmpl->idx++] - '0');
+        if (count < 0) {
+          mrb_raisef(mrb, E_RUNTIME_ERROR, "too big template length");
+        }
       }
       continue;  /* special case */
     } else if (ch == '*')  {
-- 
cgit v1.2.3