From cfdd1e3cc6ec9ac7ba81ec6fad5d5ba4d11334b9 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Sat, 31 Dec 2016 23:22:17 +0900
Subject: ary_expand_capa(): refine conditions to avoid infinite loop; ref
 #3353

---
 src/array.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'src/array.c')

diff --git a/src/array.c b/src/array.c
index 385f603ed..54ff26721 100644
--- a/src/array.c
+++ b/src/array.c
@@ -170,6 +170,7 @@ ary_expand_capa(mrb_state *mrb, struct RArray *a, size_t len)
   size_t capa = a->aux.capa;
 
   if (len > ARY_MAX_SIZE) {
+  size_error:
     mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
   }
 
@@ -177,13 +178,15 @@ ary_expand_capa(mrb_state *mrb, struct RArray *a, size_t len)
     capa = ARY_DEFAULT_LEN;
   }
   while (capa < len) {
-    capa *= 2;
-    if (capa > ARY_MAX_SIZE) {
-      capa = ARY_MAX_SIZE;
+    if (capa <= ARY_MAX_SIZE / 2) {
+      capa *= 2;
+    }
+    else {
+      goto size_error;
     }
   }
   if (capa < len || capa > MRB_INT_MAX) {
-    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
+    goto size_error;
   }
 
   if (capa > (size_t)a->aux.capa) {
-- 
cgit v1.2.3