3 files changed, 40 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 54f971b9b3..5b23da202e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+Wed Apr 10 12:32:37 2013  Tanaka Akira  <akr@fsij.org>
+
+	* bignum.c (rb_ll2big): Don't overflow on signed integer negation.
+
+	* ext/bigdecimal/bigdecimal.c (MUL_OVERFLOW_SIGNED_VALUE_P): New
+	  macro.
+	  (AddExponent): Don't overflow on signed integer multiplication.
+	  (VpCtoV): Don't overflow on signed integer arithmetic.
+	  (VpCtoV): Don't overflow on signed integer arithmetic.
+
 Wed Apr 10 06:32:12 2013  Tanaka Akira  <akr@fsij.org>
 
 	* internal.h (MUL_OVERFLOW_INT_P): New macro.
diff --git a/bignum.c b/bignum.c
index 7d4bd3cb17..e709c21c52 100644
--- a/bignum.c
+++ b/bignum.c
@@ -832,13 +832,17 @@ static VALUE
 rb_ll2big(LONG_LONG n)
 {
     long neg = 0;
+    unsigned LONG_LONG u;
     VALUE big;
 
     if (n < 0) {
-	n = -n;
+        u = 1 + (unsigned LONG_LONG)(-(n + 1)); /* u = -n avoiding overflow */
 	neg = 1;
     }
-    big = rb_ull2big(n);
+    else {
+        u = n;
+    }
+    big = rb_ull2big(u);
     if (neg) {
 	RBIGNUM_SET_SIGN(big, 0);
     }
diff --git a/ext/bigdecimal/bigdecimal.c b/ext/bigdecimal/bigdecimal.c
index 9e2aa31d37..d6cc409eac 100644
--- a/ext/bigdecimal/bigdecimal.c
+++ b/ext/bigdecimal/bigdecimal.c
@@ -38,6 +38,16 @@
 
 /* #define ENABLE_NUMERIC_STRING */
 
+#define MUL_OVERFLOW_SIGNED_INTEGER_P(a, b, min, max) ( \
+    (a) == 0 ? 0 : \
+    (a) == -1 ? (b) < -(max) : \
+    (a) > 0 ? \
+      ((b) > 0 ? (max) / (a) < (b) : (min) / (a) > (b)) : \
+      ((b) > 0 ? (min) / (a) < (b) : (max) / (a) > (b)))
+#define SIGNED_VALUE_MAX INTPTR_MAX
+#define SIGNED_VALUE_MIN INTPTR_MIN
+#define MUL_OVERFLOW_SIGNED_VALUE_P(a, b) MUL_OVERFLOW_SIGNED_INTEGER_P(a, b, SIGNED_VALUE_MIN, SIGNED_VALUE_MAX)
+
 VALUE rb_cBigDecimal;
 VALUE rb_mBigMath;
 
@@ -3735,12 +3745,18 @@ AddExponent(Real *a, SIGNED_VALUE n)
     SIGNED_VALUE eb, mb;
     if (e > 0) {
 	if (n > 0) {
+            if (MUL_OVERFLOW_SIGNED_VALUE_P(m, (SIGNED_VALUE)BASE_FIG) ||
+                MUL_OVERFLOW_SIGNED_VALUE_P(e, (SIGNED_VALUE)BASE_FIG))
+                goto overflow;
 	    mb = m*(SIGNED_VALUE)BASE_FIG;
 	    eb = e*(SIGNED_VALUE)BASE_FIG;
 	    if (mb < eb) goto overflow;
 	}
     }
     else if (n < 0) {
+        if (MUL_OVERFLOW_SIGNED_VALUE_P(m, (SIGNED_VALUE)BASE_FIG) ||
+            MUL_OVERFLOW_SIGNED_VALUE_P(e, (SIGNED_VALUE)BASE_FIG))
+            goto underflow;
 	mb = m*(SIGNED_VALUE)BASE_FIG;
 	eb = e*(SIGNED_VALUE)BASE_FIG;
 	if (mb > eb) goto underflow;
@@ -5254,9 +5270,17 @@ VpCtoV(Real *a, const char *int_chr, size_t ni, const char *frac, size_t nf, con
 	    ++me;
 	}
 	while (i < me) {
+            if (MUL_OVERFLOW_SIGNED_VALUE_P(e, (SIGNED_VALUE)BASE_FIG))
+                goto exp_overflow;
 	    es = e * (SIGNED_VALUE)BASE_FIG;
+            if (MUL_OVERFLOW_SIGNED_VALUE_P(e, 10) ||
+                SIGNED_VALUE_MAX - (exp_chr[i] - '0') < e * 10)
+                goto exp_overflow;
 	    e = e * 10 + exp_chr[i] - '0';
+            if (MUL_OVERFLOW_SIGNED_VALUE_P(e, (SIGNED_VALUE)BASE_FIG))
+                goto exp_overflow;
 	    if (es > (SIGNED_VALUE)(e * BASE_FIG)) {
+              exp_overflow:
 		exponent_overflow = 1;
 		e = es; /* keep sign */
 		break;