From 0bb4afe9421cc803a885cb6006792d405e4c0009 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Wed, 23 Dec 2020 10:33:31 +0900
Subject: Fix the integer overflow in `mrb_str_len_to_inum()`.

---
 src/string.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

(limited to 'src')

diff --git a/src/string.c b/src/string.c
index 4d09c7eab..0cb9eaf83 100644
--- a/src/string.c
+++ b/src/string.c
@@ -2345,16 +2345,12 @@ mrb_str_len_to_inum(mrb_state *mrb, const char *str, size_t len, mrb_int base, i
     }
     n *= base;
     n += c;
-    if (n > (uint64_t)MRB_INT_MAX + (sign ? 0 : 1)) {
-#ifndef MRB_NO_FLOAT
-      if (base == 10) {
-        return mrb_float_value(mrb, mrb_str_to_dbl(mrb, mrb_str_new(mrb, str, len), badcheck));
-      }
-      else
-#endif
-      {
-        mrb_raisef(mrb, E_RANGE_ERROR, "string (%l) too big for integer", str, pend-str);
+    if (n > (uint64_t)MRB_INT_MAX) {
+      if (sign == 0 && n == (uint64_t)MRB_INT_MIN) {
+        sign = 1;
+        break;
       }
+      mrb_raisef(mrb, E_RANGE_ERROR, "string (%l) too big for integer", str, pend-str);
     }
   }
   val = (mrb_int)n;
-- 
cgit v1.2.3