fiddle/function.c: check argument size

* ext/fiddle/function.c (initialize): check argument number if the
  temporary buffer exceeds size_t max.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45300 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 14 insertions, 0 deletions

diff --git a/ext/fiddle/function.c b/ext/fiddle/function.c
index 56f949ed03..4c297f7751 100644
--- a/ext/fiddle/function.c
+++ b/ext/fiddle/function.c
@@ -11,6 +11,18 @@
 
 VALUE cFiddleFunction;
 
+#define MAX_ARGS (SIZE_MAX / (sizeof(void *) + sizeof(fiddle_generic)) - 1)
+
+#define Check_Max_Args(name, len) \
+    if ((size_t)(len) < MAX_ARGS) { \
+	/* OK */ \
+    } \
+    else { \
+	rb_raise(rb_eTypeError, \
+		 name" is so large that it can cause integer overflow (%d)", \
+		 (len)); \
+    }
+
 static void
 deallocate(void *p)
 {
@@ -84,6 +96,7 @@ initialize(int argc, VALUE argv[], VALUE self)
     if(NIL_P(abi)) abi = INT2NUM(FFI_DEFAULT_ABI);
 
     Check_Type(args, T_ARRAY);
+    Check_Max_Args("args", RARRAY_LENINT(args));
 
     rb_iv_set(self, "@ptr", ptr);
     rb_iv_set(self, "@args", args);
@@ -129,6 +142,7 @@ function_call(int argc, VALUE argv[], VALUE self)
     types    = rb_iv_get(self, "@args");
     cPointer = rb_const_get(mFiddle, rb_intern("Pointer"));
 
+    Check_Max_Args("number of arguments", argc);
     if(argc != RARRAY_LENINT(types)) {
 	rb_raise(rb_eArgError, "wrong number of arguments (%d for %d)",
 		argc, RARRAY_LENINT(types));