diff options
| author | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-17 07:21:29 +0000 |
|---|---|---|
| committer | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-17 07:21:29 +0000 |
| commit | b2bb02940199c3a540e903e9bb5b31abbf26f4aa (patch) | |
| tree | a118f29872e80bc968292ed9533c8823f057fcfa /array.c | |
| parent | e9ea9d6527b1f1db455d89ce6e5b6c3cfa40a184 (diff) | |
merge revision(s) 50827,50921: [Backport #11235]
* array.c (ary_ensure_room_for_push): check if array size will
exceed maxmum size to get rid of buffer overflow.
[ruby-dev:49043] [Bug #11235]
* array.c (ary_ensure_room_for_unshift, rb_ary_splice): ditto.
exceed maximum size to get rid of buffer overflow.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@51597 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'array.c')
| -rw-r--r-- | array.c | 13 |
1 files changed, 12 insertions, 1 deletions
@@ -354,9 +354,13 @@ rb_ary_modify(VALUE ary) static void ary_ensure_room_for_push(VALUE ary, long add_len) { - long new_len = RARRAY_LEN(ary) + add_len; + long old_len = RARRAY_LEN(ary); + long new_len = old_len + add_len; long capa; + if (old_len > ARY_MAX_SIZE - add_len) { + rb_raise(rb_eIndexError, "index %ld too big", new_len); + } if (ARY_SHARED_P(ary)) { if (new_len > RARRAY_EMBED_LEN_MAX) { VALUE shared = ARY_SHARED(ary); @@ -1078,6 +1082,10 @@ ary_ensure_room_for_unshift(VALUE ary, int argc) long capa; const VALUE *head, *sharedp; + if (len > ARY_MAX_SIZE - argc) { + rb_raise(rb_eIndexError, "index %ld too big", new_len); + } + if (ARY_SHARED_P(ary)) { VALUE shared = ARY_SHARED(ary); capa = RARRAY_LEN(shared); @@ -1569,6 +1577,9 @@ rb_ary_splice(VALUE ary, long beg, long len, VALUE rpl) else { long alen; + if (olen - len > ARY_MAX_SIZE - rlen) { + rb_raise(rb_eIndexError, "index %ld too big", olen + rlen - len); + } rb_ary_modify(ary); alen = olen + rlen - len; if (alen >= ARY_CAPA(ary)) { |