Permalink
Browse files

Use size_t to avoid integer overflow in mrb_ary_splice(); fix #3413

  • Loading branch information...
matz committed Jan 24, 2017
1 parent 28cf7a5 commit 72bff2932ba983b4e8aaedda50fa5663dcc5c3ed
Showing with 5 additions and 2 deletions.
  1. +5 −2 src/array.c
View
@@ -591,6 +591,7 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
struct RArray *a = mrb_ary_ptr(ary);
const mrb_value *argv;
mrb_int argc;
size_t tail;
ary_modify(mrb, a);
@@ -604,7 +605,8 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
mrb_raise(mrb, E_INDEX_ERROR, "index is out of array");
}
}
if (a->len < len || a->len < head + len) {
tail = head + len;

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Jan 24, 2017

Contributor

This still gives incorrect results if size_t is longer than mrb_int. If head and len are 0x40000000, then the result is tail = 0xffffffff80000000. I think head and/or len need to be cast to size_t for this to work correctly.

@clayton-shopify

clayton-shopify Jan 24, 2017

Contributor

This still gives incorrect results if size_t is longer than mrb_int. If head and len are 0x40000000, then the result is tail = 0xffffffff80000000. I think head and/or len need to be cast to size_t for this to work correctly.

if (a->len < len || (size_t)a->len < tail) {
len = a->len - head;
}
@@ -647,7 +649,8 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
}
if (len != argc) {
value_move(a->ptr + head + argc, a->ptr + head + len, a->len - (head + len));
tail = head + len;

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Jan 24, 2017

Contributor

Likewise here.

@clayton-shopify

clayton-shopify Jan 24, 2017

Contributor

Likewise here.

value_move(a->ptr + head + argc, a->ptr + tail, a->len - tail);
a->len = alen;
}
if (argc > 0) {

1 comment on commit 72bff29

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Jun 17, 2017

Member

b0f918d to use mrb_int instead of size_t.

Member

matz commented on 72bff29 Jun 17, 2017

b0f918d to use mrb_int instead of size_t.

Please sign in to comment.