From 1ed4de58d016a25d8a6ae4576e447dab1709535c Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Sat, 31 Dec 2016 23:33:34 +0900
Subject: str_buf_cat(): better size check added; ref #3342

---
 src/string.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'src/string.c')

diff --git a/src/string.c b/src/string.c
index d41237f44..072bf2226 100644
--- a/src/string.c
+++ b/src/string.c
@@ -163,15 +163,20 @@ str_buf_cat(mrb_state *mrb, struct RString *s, const char *ptr, size_t len)
 
   total = RSTR_LEN(s)+len;
   if (total >= MRB_INT_MAX) {
+  size_error:
     mrb_raise(mrb, E_ARGUMENT_ERROR, "string size too big");
   }
   if (capa <= total) {
     while (total > capa) {
-      if (capa + 1 >= MRB_INT_MAX / 2) {
-        capa = MRB_INT_MAX;
-        break;
+      if (capa <= MRB_INT_MAX / 2) {
+        capa *= 2;
+      }
+      else {
+        goto size_error;
       }
-      capa = (capa + 1) * 2;
+    }
+    if (capa < total || capa > MRB_INT_MAX) {
+      goto size_error;
     }
     resize_capa(mrb, s, capa);
   }
-- 
cgit v1.2.3