From caba1a19dc3f9e31612d8439cfa7fbf60d05bbb0 Mon Sep 17 00:00:00 2001
From: ksss <co000ri@gmail.com>
Date: Tue, 27 Dec 2016 15:48:53 +0900
Subject: Check array max size

Fix #3354
---
 src/array.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/array.c b/src/array.c
index 056d72920..2ce4e5dc6 100644
--- a/src/array.c
+++ b/src/array.c
@@ -619,6 +619,10 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
   size = head + argc;
 
   if (tail < a->len) size += a->len - tail;
+
+  if (size < 0 || size > ARY_MAX_SIZE)
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
+
   if (size > a->aux.capa)
     ary_expand_capa(mrb, a, size);
 
-- 
cgit v1.2.3