From ada89912d72109cb547b181b7ad28ff4e175cc97 Mon Sep 17 00:00:00 2001
From: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 29 Jun 2008 09:23:33 +0000
Subject: merge revision(s) 17570: 	* array.c (rb_ary_fill): not depend on
 unspecified behavior at integer 	  overflow.  reported by Vincenzo
 Iozzo <snagg AT openssl.it>.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@17686 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 5 +++++
 array.c   | 4 ++--
 version.h | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1de5184dda..555239d0e6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Sun Jun 29 18:22:52 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* array.c (rb_ary_fill): not depend on unspecified behavior at integer
+	  overflow.  reported by Vincenzo Iozzo <snagg AT openssl.it>.
+
 Sun Jun 29 18:22:06 2008  Masaki Suketa  <masaki.suketa@nifty.ne.jp>
 
 	* ext/win32ole/win32ole.c(ole_invoke): fix memory leak.
diff --git a/array.c b/array.c
index 9814722382..f4ed6e67d8 100644
--- a/array.c
+++ b/array.c
@@ -2416,10 +2416,10 @@ rb_ary_fill(argc, argv, ary)
 	break;
     }
     rb_ary_modify(ary);
-    end = beg + len;
-    if (end < 0) {
+    if (len > ARY_MAX_SIZE - beg) {
 	rb_raise(rb_eArgError, "argument too big");
     }
+    end = beg + len;
     if (end > RARRAY(ary)->len) {
 	if (end >= RARRAY(ary)->aux.capa) {
 	    REALLOC_N(RARRAY(ary)->ptr, VALUE, end);
diff --git a/version.h b/version.h
index aee845186c..6c37e10e4a 100644
--- a/version.h
+++ b/version.h
@@ -2,7 +2,7 @@
 #define RUBY_RELEASE_DATE "2008-06-29"
 #define RUBY_VERSION_CODE 187
 #define RUBY_RELEASE_CODE 20080629
-#define RUBY_PATCHLEVEL 30
+#define RUBY_PATCHLEVEL 31
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
-- 
cgit v1.2.3