From 6ed97e92948afabf67569552951e9bc2b1c2bd66 Mon Sep 17 00:00:00 2001
From: matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 5 Sep 2007 13:27:52 +0000
Subject: * array.c (rb_ary_fill): need integer overflow check.  
 [ruby-dev:31738]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@13344 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 3 +++
 array.c   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 0d30d1bc6a..9c1914d18e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 Wed Sep  5 22:02:27 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
+	* array.c (rb_ary_fill): need integer overflow check.
+	  [ruby-dev:31738]
+
 	* string.c (rb_str_splice): integer overflow for length.
 	  [ruby-dev:31739]
 
diff --git a/array.c b/array.c
index 0ead0812fb..bb793278a2 100644
--- a/array.c
+++ b/array.c
@@ -2264,6 +2264,9 @@ rb_ary_fill(argc, argv, ary)
     }
     rb_ary_modify(ary);
     end = beg + len;
+    if (end < 0) {
+	rb_raise(rb_eArgError, "argument too big");
+    }
     if (end > RARRAY(ary)->len) {
 	if (end >= RARRAY(ary)->aux.capa) {
 	    REALLOC_N(RARRAY(ary)->ptr, VALUE, end);
-- 
cgit v1.2.3