* internal.h (MUL_OVERFLOW_INT_P): New macro.

* sprintf.c (GETNUM): Don't overflow on signed integer multiplication.



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40209 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

3 files changed, 14 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 87fae93e51..7e96a923ce 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Wed Apr 10 06:32:12 2013  Tanaka Akira  <akr@fsij.org>
+
+	* internal.h (MUL_OVERFLOW_INT_P): New macro.
+
+	* sprintf.c (GETNUM): Don't overflow on signed integer multiplication.
+
 Tue Apr  9 20:38:20 2013  Tanaka Akira  <akr@fsij.org>
 
 	* internal.h (MUL_OVERFLOW_SIGNED_INTEGER_P): New macro.
diff --git a/internal.h b/internal.h
index 5e9ce2460a..964f8a3467 100644
--- a/internal.h
+++ b/internal.h
@@ -36,6 +36,7 @@ extern "C" {
       ((b) > 0 ? (min) / (a) < (b) : (max) / (a) > (b)))
 #define MUL_OVERFLOW_FIXNUM_P(a, b) MUL_OVERFLOW_SIGNED_INTEGER_P(a, b, FIXNUM_MIN, FIXNUM_MAX)
 #define MUL_OVERFLOW_LONG_P(a, b) MUL_OVERFLOW_SIGNED_INTEGER_P(a, b, LONG_MIN, LONG_MAX)
+#define MUL_OVERFLOW_INT_P(a, b) MUL_OVERFLOW_SIGNED_INTEGER_P(a, b, INT_MIN, INT_MAX)
 
 struct rb_deprecated_classext_struct {
     char conflict[sizeof(VALUE) * 3];
diff --git a/sprintf.c b/sprintf.c
index 7a4f1e5794..77fd7bc940 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -14,6 +14,7 @@
 #include "ruby/ruby.h"
 #include "ruby/re.h"
 #include "ruby/encoding.h"
+#include "internal.h"
 #include <math.h>
 #include <stdarg.h>
 
@@ -128,10 +129,13 @@ sign_bits(int base, const char *p)
 
 #define GETNUM(n, val) \
     for (; p < end && rb_enc_isdigit(*p, enc); p++) {	\
-	int next_n = 10 * (n) + (*p - '0'); \
-        if (next_n / 10 != (n)) {\
+	int next_n = (n); \
+        if (MUL_OVERFLOW_INT_P(10, next_n)) \
 	    rb_raise(rb_eArgError, #val " too big"); \
-	} \
+	next_n *= 10; \
+        if (INT_MAX - (*p - '0') < next_n) \
+	    rb_raise(rb_eArgError, #val " too big"); \
+	next_n += *p - '0'; \
 	(n) = next_n; \
     } \
     if (p >= end) { \