From 3da372b30fc7996222851b265754f1213742ec90 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Sat, 27 Feb 2021 12:00:24 +0900
Subject: pack.c: add more checks for `pack_pack()`.

---
 mrbgems/mruby-pack/src/pack.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'mrbgems/mruby-pack')

diff --git a/mrbgems/mruby-pack/src/pack.c b/mrbgems/mruby-pack/src/pack.c
index b0da7b06b..e52171d6b 100644
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -1186,10 +1186,14 @@ mrb_pack_pack(mrb_state *mrb, mrb_value ary)
     if (dir == PACK_DIR_INVALID)
       continue;
     else if (dir == PACK_DIR_NUL) {
-        ridx += pack_x(mrb, mrb_nil_value(), result, ridx, count, flags);
-        continue;
+      ridx += pack_x(mrb, mrb_nil_value(), result, ridx, count, flags);
+      if (ridx < 0) goto overflow;
+      continue;
     }
 
+    if ((flags & PACK_FLAG_WIDTH) && aidx >= RARRAY_LEN(ary)) {
+      mrb_raise(mrb, E_ARGUMENT_ERROR, "too few arguments");
+    }
     for (; aidx < RARRAY_LEN(ary); aidx++) {
       if (count == 0 && !(flags & PACK_FLAG_WIDTH))
         break;
@@ -1258,6 +1262,7 @@ mrb_pack_pack(mrb_state *mrb, mrb_value ary)
       }
     }
     if (ridx < 0) {
+    overflow:
       mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) template size");
     }
   }
-- 
cgit v1.2.3