Skip to content

Commit

Permalink
mrb_int may overflow in bit-shifting; fix #3620
Browse files Browse the repository at this point in the history
  • Loading branch information
@matz
matz committed Apr 20, 2017
1 parent 3567b26 commit 262fbaf
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/numeric.c
View file
Expand Up @@ -938,7 +938,9 @@ fix_xor(mrb_state *mrb, mrb_value x)
static mrb_value
lshift(mrb_state *mrb, mrb_int val, mrb_int width)
{
mrb_assert(width > 0);
if (width < 0) { /* mrb_int overflow */
return mrb_float_value(mrb, INFINITY);
}
if (val > 0) {
if ((width > NUMERIC_SHIFT_WIDTH_MAX) ||
(val > (MRB_INT_MAX >> width))) {
Expand Down Expand Up @@ -967,7 +969,9 @@ lshift(mrb_state *mrb, mrb_int val, mrb_int width)
static mrb_value
rshift(mrb_int val, mrb_int width)
{
mrb_assert(width > 0);
if (width < 0) { /* mrb_int overflow */
return mrb_fixnum_value(0);
}
if (width >= NUMERIC_SHIFT_WIDTH_MAX) {
if (val < 0) {
return mrb_fixnum_value(-1);
Expand Down

0 comments on commit 262fbaf

Please sign in to comment.