From d02ef8342cb24af29aff64ff7985594845989bdb Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 25 Jun 2008 06:28:53 +0000
Subject: [PATCH] * array.c (rb_ary_fill): not depend on unspecified behavior
 at integer   overflow.  reported by Vincenzo Iozzo <snagg AT openssl.it>.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@17570 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 5 +++++
 array.c   | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 36792b4f09..a6c4386581 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Wed Jun 25 15:28:50 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* array.c (rb_ary_fill): not depend on unspecified behavior at integer
+	  overflow.  reported by Vincenzo Iozzo <snagg AT openssl.it>.
+
 Wed Jun 25 13:42:44 2008  NARUSE, Yui  <naruse@ruby-lang.org>
 
 	* lib/erb.rb (ERB::Compiler:Buffer#new): push magic comment first.
diff --git a/array.c b/array.c
index 783e5a5e39..7d8d406783 100644
--- a/array.c
+++ b/array.c
@@ -2145,10 +2145,10 @@ rb_ary_fill(int argc, VALUE *argv, VALUE ary)
 	break;
     }
     rb_ary_modify(ary);
-    end = beg + len;
-    if (end < 0) {
+    if (len > ARY_MAX_SIZE - beg) {
 	rb_raise(rb_eArgError, "argument too big");
     }
+    end = beg + len;
     if (RARRAY_LEN(ary) < end) {
 	if (end >= ARY_CAPA(ary)) {
 	    RESIZE_CAPA(ary, end);