From 8a41d2b876e77b9e0718fa4faf5b5d884c7b0b5d Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Thu, 9 Sep 2021 19:12:36 +0900
Subject: string.c: check integer overflow in `mrb_str_aset()`.

---
 src/string.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/string.c')

diff --git a/src/string.c b/src/string.c
index 6643b543e..550f24c7a 100644
--- a/src/string.c
+++ b/src/string.c
@@ -1375,7 +1375,10 @@ mrb_str_aset(mrb_state *mrb, mrb_value str, mrb_value indx, mrb_value alen, mrb_
       str_range_to_bytes(str, &beg, &len);
       /* fall through */
     case STR_BYTE_RANGE_CORRECTED:
-      str_replace_partial(mrb, str, beg, beg + len, replace);
+      if (mrb_int_add_overflow(beg, len, &len)) {
+        mrb_raise(mrb, E_RUNTIME_ERROR, "string index too big");
+      }
+      str_replace_partial(mrb, str, beg, len, replace);
   }
 }
 
-- 
cgit v1.2.3