From 9b3a4fd8a47c0983e3a8c3e74b649fe9d15b8cbc Mon Sep 17 00:00:00 2001
From: Yukihiro Matsumoto <matz@ruby-lang.org>
Date: Sat, 21 Apr 2012 01:01:07 +0900
Subject: avoid integer overflow

---
 src/array.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src/array.c')

diff --git a/src/array.c b/src/array.c
index e3a0a3a9a..75b2cd0c1 100644
--- a/src/array.c
+++ b/src/array.c
@@ -34,6 +34,7 @@ mrb_value
 mrb_ary_new_capa(mrb_state *mrb, size_t capa)
 {
   struct RArray *a;
+  size_t blen;
 
 #ifdef LONG_MAX
   if (capa > ARY_MAX_SIZE) {
@@ -43,10 +44,14 @@ mrb_ary_new_capa(mrb_state *mrb, size_t capa)
   if (capa < ARY_DEFAULT_LEN) {
     capa = ARY_DEFAULT_LEN;
   }
+  blen = capa * sizeof(mrb_value) ;
+  if (blen < capa) {
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "ary size too big");
+  }
 
   a = mrb_obj_alloc(mrb, MRB_TT_ARRAY, mrb->array_class);
-  a->buf = mrb_malloc(mrb, sizeof(mrb_value) * capa);
-  memset(a->buf, 0, sizeof(mrb_value) * capa);
+  a->buf = mrb_malloc(mrb, blen);
+  memset(a->buf, 0, blen);
   a->capa = capa;
   a->len = 0;
 
-- 
cgit v1.2.3