ATRONIX: Check overflow of size calculation in series expansion

This fixes the crash caused by (turn it into an exception): a: read %/bin/ls b: make binary! 1024 loop 20000 [ append b a ] (cherry picked from commit e1e8891)
Oldes · Sep 21, 2018 · 7eca4c3 · 7eca4c3
1 parent afb3282
commit 7eca4c3
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/src/core/m-series.c b/src/core/m-series.c
@@ -60,7 +60,7 @@
 ***********************************************************************/
 {
 	REBCNT start;
-	REBCNT size;
+	REBCNT size, new_size;
 	REBCNT extra;
 	REBCNT wide;
 	REBSER *newser, swap;
@@ -112,7 +112,17 @@
 #ifdef DEBUGGING
 		Print_Num("Expand:", series->tail + delta + 1);
 #endif
-		newser = Make_Series(series->tail + delta + x, wide, TRUE);
+		new_size = series->tail + delta + x;
+		if (new_size < series->tail
+			|| new_size < delta
+			|| new_size < x
+			|| new_size < series->tail + delta
+			|| new_size < series->tail + x
+			|| new_size < delta + x) {
+			Trap0(RE_PAST_END);
+		}
+
+		newser = Make_Series(new_size, wide, TRUE);
 		// If necessary, add series to the recently expanded list:
 		if (Prior_Expand[n] != series) {
 			n = (REBUPT)(Prior_Expand[0]) + 1;