pack.c: check integer overflow in unpacking BER; fix #5611

3b59c95e · Yukihiro "Matz" Matsumoto · 42a6872c · 3b59c95e
Unverified Commit 3b59c95e authored Dec 23, 2021 by Yukihiro "Matz" Matsumoto
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

mrbgems/mruby-pack/src/pack.c mrbgems/mruby-pack/src/pack.c +3 -0

No files found.
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -415,6 +415,9 @@ unpack_BER(mrb_state *mrb, const unsigned char *src, int srclen, mrb_value ary,
  const unsigned char *e = p + srclen;

  for (i=1; p<e; p++,i++) {
+    if (n > (MRB_INT_MAX>>7)) {
+      mrb_raise(mrb, E_RANGE_ERROR, "BER unpacking 'w' overflow");
+    }
    n <<= 7;
    n |= *p & 0x7f;
    if ((*p & 0x80) == 0) break;