From d02ef8342cb24af29aff64ff7985594845989bdb Mon Sep 17 00:00:00 2001 From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> Date: Wed, 25 Jun 2008 06:28:53 +0000 Subject: [PATCH] * array.c (rb_ary_fill): not depend on unspecified behavior at integer overflow. reported by Vincenzo Iozzo <snagg AT openssl.it>. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@17570 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 5 +++++ array.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 36792b4f09..a6c4386581 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Wed Jun 25 15:28:50 2008 Nobuyoshi Nakada <nobu@ruby-lang.org> + + * array.c (rb_ary_fill): not depend on unspecified behavior at integer + overflow. reported by Vincenzo Iozzo <snagg AT openssl.it>. + Wed Jun 25 13:42:44 2008 NARUSE, Yui <naruse@ruby-lang.org> * lib/erb.rb (ERB::Compiler:Buffer#new): push magic comment first. diff --git a/array.c b/array.c index 783e5a5e39..7d8d406783 100644 --- a/array.c +++ b/array.c @@ -2145,10 +2145,10 @@ rb_ary_fill(int argc, VALUE *argv, VALUE ary) break; } rb_ary_modify(ary); - end = beg + len; - if (end < 0) { + if (len > ARY_MAX_SIZE - beg) { rb_raise(rb_eArgError, "argument too big"); } + end = beg + len; if (RARRAY_LEN(ary) < end) { if (end >= ARY_CAPA(ary)) { RESIZE_CAPA(ary, end);