From bf1cb87b34af41e8877b8c24e5fc37fc07a0394e Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Tue, 20 Jun 2017 20:19:37 +0900
Subject: Array size can be cause integer overflow; fix #3710

---
 src/array.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/array.c')

diff --git a/src/array.c b/src/array.c
index 86fb50e5c..8b6b9fa1e 100644
--- a/src/array.c
+++ b/src/array.c
@@ -169,7 +169,7 @@ ary_expand_capa(mrb_state *mrb, struct RArray *a, mrb_int len)
 {
   mrb_int capa = a->aux.capa;
 
-  if (len > ARY_MAX_SIZE) {
+  if (len > ARY_MAX_SIZE || len < 0) {
   size_error:
     mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
   }
-- 
cgit v1.2.3