Merge pull request #4726 from adityamandaleeka/array_alloc_bounds_check

Fix array allocation bounds checking on Unix
dotnet · May 3, 2016 · 92d7091 · 92d7091
2 parents 32e44ef + 16c9dfb
commit 92d7091
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/src/vm/gchelpers.cpp b/src/vm/gchelpers.cpp
@@ -350,13 +350,28 @@ OBJECTREF AllocateArrayEx(TypeHandle arrayType, INT32 *pArgs, DWORD dwNumArgs, B
                 lowerBound = pArgs[i];
                 i++;
             }
+
             int length = pArgs[i];
             if (length < 0)
                 COMPlusThrow(kOverflowException);
+
             if ((SIZE_T)length > MaxArrayLength(componentSize))
+            {
+                // This will cause us to throw below if we don't throw anything else before then.
                 maxArrayDimensionLengthOverflow = true;
-            if ((length > 0) && (lowerBound + (length - 1) < lowerBound))
-                COMPlusThrow(kArgumentOutOfRangeException, W("ArgumentOutOfRange_ArrayLBAndLength"));
+            }
+
+            if (length > 0)
+            {
+                int highestAllowableLowerBound = INT32_MAX - (length - 1);
+                if (lowerBound > highestAllowableLowerBound)
+                {
+                    // We throw because the lower bound is large enough that the sum of the 
+                    // dimension's length and the lower bound would exceed INT32_MAX.
+                    COMPlusThrow(kArgumentOutOfRangeException, W("ArgumentOutOfRange_ArrayLBAndLength"));
+                }
+            }
+
             safeTotalElements = safeTotalElements * S_UINT32(length);
             if (safeTotalElements.IsOverflow())
                 ThrowOutOfMemoryDimensionsExceeded();