From 7e612b1c892356f756635cdfb2df701c53d31052 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Thu, 9 Sep 2021 19:12:59 +0900 Subject: string.c: check integer overflow in `str_replace_partial`. --- src/string.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'src/string.c') diff --git a/src/string.c b/src/string.c index 550f24c7a..ac0f4a920 100644 --- a/src/string.c +++ b/src/string.c @@ -1243,9 +1243,7 @@ str_replace_partial(mrb_state *mrb, mrb_value src, mrb_int pos, mrb_int end, mrb } replen = (mrb_nil_p(rep) ? 0 : RSTRING_LEN(rep)); - newlen = replen + (len - (end - pos)); - - if (newlen >= MRB_SSIZE_MAX || newlen < replen /* overflowed */) { + if (mrb_int_add_overflow(replen, len - (end - pos), &newlen) || newlen >= MRB_SSIZE_MAX) { mrb_raise(mrb, E_RUNTIME_ERROR, "string size too big"); } -- cgit v1.2.3