From 43abf36f00273726e4407007cbae38a04c011f87 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Sun, 5 Sep 2021 16:41:08 +0900
Subject: array.c: check integer overflow before addition.

---
 src/array.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/array.c')

diff --git a/src/array.c b/src/array.c
index 6c9492a80..ae7c87bbc 100644
--- a/src/array.c
+++ b/src/array.c
@@ -742,9 +742,11 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
   /* range check */
   if (head < 0) {
     head += alen;
-    if (head < 0) {
-      mrb_raise(mrb, E_INDEX_ERROR, "index is out of array");
-    }
+    if (head < 0) goto out_of_range;
+  }
+  if (head > MRB_INT_MAX - len) {
+  out_of_range:
+    mrb_raise(mrb, E_INDEX_ERROR, "index is out of array");
   }
   tail = head + len;
   if (alen < len || alen < tail) {
-- 
cgit v1.2.3