`mrb_int` may overflow in bit-shifting; fix #3620

262fbaf5 · Yukihiro "Matz" Matsumoto · 3567b262 · 262fbaf5
Commit 262fbaf5 authored Apr 21, 2017 by Yukihiro "Matz" Matsumoto
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

src/numeric.c src/numeric.c +6 -2

No files found.
--- a/src/numeric.c
+++ b/src/numeric.c
@@ -938,7 +938,9 @@ fix_xor(mrb_state *mrb, mrb_value x)
 static mrb_value
 lshift(mrb_state *mrb, mrb_int val, mrb_int width)
 {
-  mrb_assert(width > 0);
+  if (width < 0) {              /* mrb_int overflow */
+    return mrb_float_value(mrb, INFINITY);
+  }
  if (val > 0) {
    if ((width > NUMERIC_SHIFT_WIDTH_MAX) ||
        (val   > (MRB_INT_MAX >> width))) {
@@ -967,7 +969,9 @@ bit_overflow:
 static mrb_value
 rshift(mrb_int val, mrb_int width)
 {
-  mrb_assert(width > 0);
+  if (width < 0) {              /* mrb_int overflow */
+    return mrb_fixnum_value(0);
+  }
  if (width >= NUMERIC_SHIFT_WIDTH_MAX) {
    if (val < 0) {
      return mrb_fixnum_value(-1);