From d84ece5c1cfc4d94f386fe990bf2ddbf67e4e5b5 Mon Sep 17 00:00:00 2001
From: matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 5 Sep 2007 13:36:28 +0000
Subject: * array.c (rb_ary_subseq): need integer overflow check.  
 [ruby-dev:31736]

* array.c (rb_ary_splice): ditto.  [ruby-dev:31737]

* array.c (rb_ary_fill): ditto.  [ruby-dev:31738]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@13345 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 array.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'array.c')

diff --git a/array.c b/array.c
index bb793278a2..835e76bbd1 100644
--- a/array.c
+++ b/array.c
@@ -606,7 +606,7 @@ rb_ary_subseq(ary, beg, len)
     if (beg > RARRAY(ary)->len) return Qnil;
     if (beg < 0 || len < 0) return Qnil;
 
-    if (beg + len > RARRAY(ary)->len) {
+    if (RARRAY(ary)->len < len || RARRAY(ary)->len < beg + len) {
 	len = RARRAY(ary)->len - beg;
 	if (len < 0)
 	    len = 0;
@@ -959,7 +959,7 @@ rb_ary_splice(ary, beg, len, rpl)
 	    rb_raise(rb_eIndexError, "index %ld out of array", beg);
 	}
     }
-    if (beg + len > RARRAY(ary)->len) {
+    if (RARRAY(ary)->len < len || RARRAY(ary)->len < beg + len) {
 	len = RARRAY(ary)->len - beg;
     }
 
-- 
cgit v1.2.3