Skip to content
Permalink
Browse files
Use size_t to avoid integer overflow in mrb_ary_splice(); fix #3413
  • Loading branch information
@matz
matz committed Jan 24, 2017
1 parent 28cf7a5 commit 72bff2932ba983b4e8aaedda50fa5663dcc5c3ed
Showing 1 changed file with 5 additions and 2 deletions.
7 src/array.c
View file
@@ -591,6 +591,7 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
struct RArray *a = mrb_ary_ptr(ary);
const mrb_value *argv;
mrb_int argc;
size_t tail;

ary_modify(mrb, a);

@@ -604,7 +605,8 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
mrb_raise(mrb, E_INDEX_ERROR, "index is out of array");
}
}
if (a->len < len || a->len < head + len) {
tail = head + len;

This comment has been minimized.

Sign in to view
Copy link
@clayton-shopify

clayton-shopify Jan 24, 2017

Contributor

This still gives incorrect results if size_t is longer than mrb_int. If head and len are 0x40000000, then the result is tail = 0xffffffff80000000. I think head and/or len need to be cast to size_t for this to work correctly.
if (a->len < len || (size_t)a->len < tail) {
len = a->len - head;
}

@@ -647,7 +649,8 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
}

if (len != argc) {
value_move(a->ptr + head + argc, a->ptr + head + len, a->len - (head + len));
tail = head + len;

This comment has been minimized.

Sign in to view
Copy link
@clayton-shopify

clayton-shopify Jan 24, 2017

Contributor

Likewise here.
value_move(a->ptr + head + argc, a->ptr + tail, a->len - tail);
a->len = alen;
}
if (argc > 0) {

1 comment on commit 72bff29

@matz
Copy link
Member Author

@matz matz commented on 72bff29 Jun 17, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

b0f918d to use mrb_int instead of size_t.

Please sign in to comment.