From 262fbaf566cc5eb8c375adde01a427a832f8d9c2 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby-lang.org>
Date: Fri, 21 Apr 2017 08:55:19 +0900
Subject: [PATCH] `mrb_int` may overflow in bit-shifting; fix #3620

---
 src/numeric.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/numeric.c b/src/numeric.c
index b4b85a9c6d..3c8729a0cc 100644
--- a/src/numeric.c
+++ b/src/numeric.c
@@ -938,7 +938,9 @@ fix_xor(mrb_state *mrb, mrb_value x)
 static mrb_value
 lshift(mrb_state *mrb, mrb_int val, mrb_int width)
 {
-  mrb_assert(width > 0);
+  if (width < 0) {              /* mrb_int overflow */
+    return mrb_float_value(mrb, INFINITY);
+  }
   if (val > 0) {
     if ((width > NUMERIC_SHIFT_WIDTH_MAX) ||
         (val   > (MRB_INT_MAX >> width))) {
@@ -967,7 +969,9 @@ lshift(mrb_state *mrb, mrb_int val, mrb_int width)
 static mrb_value
 rshift(mrb_int val, mrb_int width)
 {
-  mrb_assert(width > 0);
+  if (width < 0) {              /* mrb_int overflow */
+    return mrb_fixnum_value(0);
+  }
   if (width >= NUMERIC_SHIFT_WIDTH_MAX) {
     if (val < 0) {
       return mrb_fixnum_value(-1);