string.c: integer overflow

* string.c (rb_str_modify_expand): check integer overflow. [ruby-core:75592] [Bug #12390] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55054 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-05-18 05:52:40 +0000
committer: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-05-18 05:52:40 +0000
commit: 86f685407cabd1a4c13cc868dae9ff766dd99497 (patch)
tree: 215df55e4f6dd04c6be150fbced6846ab23feede /string.c
parent: d412c73825e07791f6f7878f8d9afa925d012f02 (diff)
download: ruby-86f685407cabd1a4c13cc868dae9ff766dd99497.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/string.c b/string.c
index 1e4d867f9d..049b088a0d 100644
--- a/string.c
+++ b/string.c
@@ -1914,6 +1914,9 @@ rb_str_modify_expand(VALUE str, long expand)
     else if (expand > 0) {
 	long len = RSTRING_LEN(str);
 	long capa = len + expand;
+	if (expand >= LONG_MAX - len - termlen) {
+	    rb_raise(rb_eArgError, "string size too big");
+	}
 	if (!STR_EMBED_P(str)) {
 	    REALLOC_N(RSTRING(str)->as.heap.ptr, char, capa + termlen);
 	    RSTRING(str)->as.heap.aux.capa = capa;
author	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-05-18 05:52:40 +0000
committer	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-05-18 05:52:40 +0000
commit	86f685407cabd1a4c13cc868dae9ff766dd99497 (patch)
tree	215df55e4f6dd04c6be150fbced6846ab23feede /string.c
parent	d412c73825e07791f6f7878f8d9afa925d012f02 (diff)
download	ruby-86f685407cabd1a4c13cc868dae9ff766dd99497.tar.gz