merge revision(s) 17570:

* array.c (rb_ary_fill): not depend on unspecified behavior at integer overflow. reported by Vincenzo Iozzo <snagg AT openssl.it>. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_6@17688 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-06-29 09:24:21 +0000
committer: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-06-29 09:24:21 +0000
commit: 526a28d851ba4ec2ab8e5c2321af43cda2dd1d7f (patch)
tree: e47d5fa04ffc67fa05384bbd652e93702a87788b /array.c
parent: 007bfbc9e1be697a73d282111b9dcf5b5c73fa55 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/array.c b/array.c
index c5261044da..7f23940e43 100644
--- a/array.c
+++ b/array.c
@@ -2272,10 +2272,10 @@ rb_ary_fill(argc, argv, ary)
 	break;
     }
     rb_ary_modify(ary);
-    end = beg + len;
-    if (end < 0) {
+    if (len > ARY_MAX_SIZE - beg) {
 	rb_raise(rb_eArgError, "argument too big");
     }
+    end = beg + len;
     if (end > RARRAY(ary)->len) {
 	if (end >= RARRAY(ary)->aux.capa) {
 	    REALLOC_N(RARRAY(ary)->ptr, VALUE, end);
author	shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-06-29 09:24:21 +0000
committer	shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-06-29 09:24:21 +0000
commit	526a28d851ba4ec2ab8e5c2321af43cda2dd1d7f (patch)
tree	e47d5fa04ffc67fa05384bbd652e93702a87788b /array.c
parent	007bfbc9e1be697a73d282111b9dcf5b5c73fa55 (diff)