Check negative offset in `pack` method; fix #3944

74837530 · Yukihiro "Matz" Matsumoto · c5ec37a8 · 74837530
Commit 74837530 authored Feb 13, 2018 by Yukihiro "Matz" Matsumoto
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

mrbgems/mruby-pack/src/pack.c mrbgems/mruby-pack/src/pack.c +6 -1

No files found.
--- a/mrbgems/mruby-pack/src/pack.c
+++ b/mrbgems/mruby-pack/src/pack.c
@@ -107,6 +107,9 @@ static mrb_value
 str_len_ensure(mrb_state *mrb, mrb_value str, mrb_int len)
 {
  mrb_int n = RSTRING_LEN(str);
+  if (len < 0) {
+    mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) integer");
+  }
  if (len > n) {
    do {
      n *= 2;
@@ -840,7 +843,6 @@ pack_x(mrb_state *mrb, mrb_value src, mrb_value dst, mrb_int didx, long count, u
  }
  return count;
 }
-
 static int
 unpack_x(mrb_state *mrb, const void *src, int slen, mrb_value ary, int count, unsigned int flags)
 {
@@ -1176,6 +1178,9 @@ mrb_pack_pack(mrb_state *mrb, mrb_value ary)
        count--;
      }
    }
+    if (ridx < 0) {
+      mrb_raise(mrb, E_RANGE_ERROR, "negative (or overflowed) template size");
+    }
  }

  mrb_str_resize(mrb, result, ridx);