* array.c (rb_ary_fill): not depend on unspecified behavior at integer

overflow. reported by Vincenzo Iozzo <snagg AT openssl.it>. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@17570 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-06-25 06:28:53 +0000
committer: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-06-25 06:28:53 +0000
commit: d530436d0cf385da7056dd0a6e7999b2cf221d00 (patch)
tree: f17f737e854a071f29aba851c262bfcffd84f9bf
parent: eef46cdb06810c2a53b7dc6d41d8b9f8006adbcb (diff)
2 files changed, 7 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 5c15c2acba..4ee477d884 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Wed Jun 25 15:28:50 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* array.c (rb_ary_fill): not depend on unspecified behavior at integer
+	  overflow.  reported by Vincenzo Iozzo <snagg AT openssl.it>.
+
 Wed Jun 25 00:01:27 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* common.mk (revision.h): moved from Makefile.in.
diff --git a/array.c b/array.c
index 9814722382..f4ed6e67d8 100644
--- a/array.c
+++ b/array.c
@@ -2416,10 +2416,10 @@ rb_ary_fill(argc, argv, ary)
 	break;
     }
     rb_ary_modify(ary);
-    end = beg + len;
-    if (end < 0) {
+    if (len > ARY_MAX_SIZE - beg) {
 	rb_raise(rb_eArgError, "argument too big");
     }
+    end = beg + len;
     if (end > RARRAY(ary)->len) {
 	if (end >= RARRAY(ary)->aux.capa) {
 	    REALLOC_N(RARRAY(ary)->ptr, VALUE, end);
author	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-06-25 06:28:53 +0000
committer	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-06-25 06:28:53 +0000
commit	d530436d0cf385da7056dd0a6e7999b2cf221d00 (patch)
tree	f17f737e854a071f29aba851c262bfcffd84f9bf
parent	eef46cdb06810c2a53b7dc6d41d8b9f8006adbcb (diff)