Use size_t to avoid integer overflow in mrb_ary_splice(); fix #3413

mruby · Jan 24, 2017 · 72bff2932ba983b4e8aaedda50fa5663dcc5c3ed · clayton-shopify · Jan 24, 2017 · clayton-shopify
1 parent 28cf7a5
commit 72bff2932ba983b4e8aaedda50fa5663dcc5c3ed
Unified Split

Showing with 5 additions and 2 deletions.

+5 −2 src/array.c
diff --git a/src/array.c b/src/array.c
@@ -591,6 +591,7 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
  struct RArray *a = mrb_ary_ptr(ary);
  const mrb_value *argv;
  mrb_int argc;
+  size_t tail;

  ary_modify(mrb, a);

@@ -604,7 +605,8 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
      mrb_raise(mrb, E_INDEX_ERROR, "index is out of array");
    }
  }
-  if (a->len < len || a->len < head + len) {
+  tail = head + len;
+  if (a->len < len || (size_t)a->len < tail) {
    len = a->len - head;
  }

@@ -647,7 +649,8 @@ mrb_ary_splice(mrb_state *mrb, mrb_value ary, mrb_int head, mrb_int len, mrb_val
    }

    if (len != argc) {
-      value_move(a->ptr + head + argc, a->ptr + head + len, a->len - (head + len));
+      tail = head + len;
+      value_move(a->ptr + head + argc, a->ptr + tail, a->len - tail);
      a->len = alen;
    }
    if (argc > 0) {