Permalink
Browse files

`mrb_int` may overflow in bit-shifting; fix #3620

  • Loading branch information...
matz committed Apr 20, 2017
1 parent 3567b26 commit 262fbaf566cc5eb8c375adde01a427a832f8d9c2
Showing with 6 additions and 2 deletions.
  1. +6 −2 src/numeric.c
View
@@ -938,7 +938,9 @@ fix_xor(mrb_state *mrb, mrb_value x)
static mrb_value
lshift(mrb_state *mrb, mrb_int val, mrb_int width)
{
mrb_assert(width > 0);
if (width < 0) { /* mrb_int overflow */
return mrb_float_value(mrb, INFINITY);
}
if (val > 0) {
if ((width > NUMERIC_SHIFT_WIDTH_MAX) ||
(val > (MRB_INT_MAX >> width))) {
@@ -967,7 +969,9 @@ lshift(mrb_state *mrb, mrb_int val, mrb_int width)
static mrb_value
rshift(mrb_int val, mrb_int width)
{
mrb_assert(width > 0);
if (width < 0) { /* mrb_int overflow */
return mrb_fixnum_value(0);
}
if (width >= NUMERIC_SHIFT_WIDTH_MAX) {
if (val < 0) {
return mrb_fixnum_value(-1);

0 comments on commit 262fbaf

Please sign in to comment.