diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | array.c | 12 |
2 files changed, 15 insertions, 2 deletions
@@ -1,3 +1,8 @@ +Tue Feb 26 16:41:27 2008 Nobuyoshi Nakada <nobu@ruby-lang.org> + + * array.c (combi_len, rb_ary_product): check for overflow. + [ruby-Bugs-18355] + Tue Feb 26 16:38:10 2008 Nobuyoshi Nakada <nobu@ruby-lang.org> * array.c (recursive_cmp): compare minimal length parts. @@ -3072,7 +3072,11 @@ combi_len(long n, long k) if (k < 0) return 0; val = 1; for (i=1; i <= k; i++,n--) { + long m = val; val *= n; + if (val < m) { + rb_raise(rb_eRangeError, "too big for combination"); + } val /= i; } return val; @@ -3185,8 +3189,12 @@ rb_ary_product(int argc, VALUE *argv, VALUE ary) /* Compute the length of the result array; return [] if any is empty */ for (i = 0; i < n; i++) { - resultlen *= RARRAY_LEN(arrays[i]); - if (resultlen == 0) return rb_ary_new2(0); + long k = RARRAY_LEN(arrays[i]), l = resultlen; + if (k == 0) return rb_ary_new2(0); + resultlen *= k; + if (resultlen < k || resultlen < l || resultlen / k != l) { + rb_raise(rb_eRangeError, "too big to product"); + } } /* Otherwise, allocate and fill in an array of results */ |