Fix more integer overflows.

2bc3a5fb · Clayton Smith · 2cca9d36 · 2bc3a5fb
Unverified Commit 2bc3a5fb authored Nov 30, 2016 by Clayton Smith
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

src/array.c src/array.c +8 -3

No files found.
--- a/src/array.c
+++ b/src/array.c
@@ -173,11 +173,13 @@ ary_expand_capa(mrb_state *mrb, struct RArray *a, mrb_int len)
    capa = ARY_DEFAULT_LEN;
  }
  while (capa < len) {
-    capa *= 2;
+    if (capa <= ARY_MAX_SIZE / 2) {
+      capa *= 2;
+    } else {
+      capa = ARY_MAX_SIZE;
+    }
  }

-  if (capa > ARY_MAX_SIZE) capa = ARY_MAX_SIZE; /* len <= capa <= ARY_MAX_SIZE */
-
  if (capa > a->aux.capa) {
    mrb_value *expanded_ptr = (mrb_value *)mrb_realloc(mrb, a->ptr, sizeof(mrb_value)*capa);

@@ -503,6 +505,9 @@ mrb_ary_unshift_m(mrb_state *mrb, mrb_value self)
  mrb_int len;

  mrb_get_args(mrb, "*", &vals, &len);
+  if (len > ARY_MAX_SIZE - a->len) {
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big");
+  }
  if (ARY_SHARED_P(a)
      && a->aux.shared->refcnt == 1 /* shared only referenced from this array */
      && a->ptr - a->aux.shared->ptr >= len) /* there's room for unshifted item */ {