From 5b18872c7a4df0b9a01af5c86ee6969018985e69 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu, 15 Sep 2016 01:09:10 +0900
Subject: pack.c: avoid signed integer overflow

Avoid 'x > y * n' pattern because 'y * n' may cause a signed integer
overflow.
---
 pack.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/pack.c b/pack.c
index a8339c7219..3423bfc135 100644
--- a/pack.c
+++ b/pack.c
@@ -1191,8 +1191,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
 		int bits;
 		long i;
 
-		if (p[-1] == '*' || len > (send - s) * 8)
+		if (p[-1] == '*' || len / 8 >= send - s) {
+		    if (send - s > LONG_MAX / 8)
+			rb_raise(rb_eRuntimeError, "string size too big");
 		    len = (send - s) * 8;
+		}
 		bits = 0;
 		UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
 		t = RSTRING_PTR(bitstr);
@@ -1211,8 +1214,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
 		int bits;
 		long i;
 
-		if (p[-1] == '*' || len > (send - s) * 8)
+		if (p[-1] == '*' || len / 8 >= send - s) {
+		    if (send - s > LONG_MAX / 8)
+			rb_raise(rb_eRuntimeError, "string size too big");
 		    len = (send - s) * 8;
+		}
 		bits = 0;
 		UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
 		t = RSTRING_PTR(bitstr);
@@ -1231,8 +1237,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
 		int bits;
 		long i;
 
-		if (p[-1] == '*' || len > (send - s) * 2)
+		if (p[-1] == '*' || len / 2 >= send - s) {
+		    if (send - s > LONG_MAX / 2)
+			rb_raise(rb_eRuntimeError, "string size too big");
 		    len = (send - s) * 2;
+		}
 		bits = 0;
 		UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
 		t = RSTRING_PTR(bitstr);
@@ -1253,8 +1262,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
 		int bits;
 		long i;
 
-		if (p[-1] == '*' || len > (send - s) * 2)
+		if (p[-1] == '*' || len / 2 >= send - s) {
+		    if (send - s > LONG_MAX / 2)
+			rb_raise(rb_eRuntimeError, "string size too big");
 		    len = (send - s) * 2;
+		}
 		bits = 0;
 		UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
 		t = RSTRING_PTR(bitstr);
@@ -1522,7 +1534,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
 
 	  case 'm':
 	    {
-		VALUE buf = infected_str_new(0, (send - s + 3)*3/4, str); /* +3 is for skipping paddings */
+		VALUE buf = infected_str_new(0, (send - s + 3) / 4 * 3, str); /* +3 is for skipping paddings */
 		char *ptr = RSTRING_PTR(buf);
 		int a = -1,b = -1,c = 0,d = 0;
 		static signed char b64_xtable[256];
-- 
cgit v1.2.3