projects
/
ruby-eet.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Properly check for an integer overflow in Chunk#initialize.
[ruby-eet.git]
/
ext
/
ext.c
diff --git
a/ext/ext.c
b/ext/ext.c
index 63096a7e744cd9cad366a946c97bf217036f630a..12b850014f25ae4aa0fa5d8c023793583c7c91fb 100644
(file)
--- a/
ext/ext.c
+++ b/
ext/ext.c
@@
-1,5
+1,5
@@
/*
/*
- * $Id: ext.c 6
7 2005-06-29 15:44:09
Z tilman $
+ * $Id: ext.c 6
8 2005-06-29 16:50:47
Z tilman $
*
* Copyright (c) 2005 Tilman Sauerbeck (tilman at code-monkey de)
*
*
* Copyright (c) 2005 Tilman Sauerbeck (tilman at code-monkey de)
*
@@
-467,7
+467,7
@@
stream_serialize (VALUE self)
static VALUE
chunk_init (VALUE self, VALUE tag, VALUE data)
{
static VALUE
chunk_init (VALUE self, VALUE tag, VALUE data)
{
-
unsigned long len
;
+
long tag_len, data_len, tmp
;
StringValue (tag);
StringValue (data);
StringValue (tag);
StringValue (data);
@@
-478,8
+478,11
@@
chunk_init (VALUE self, VALUE tag, VALUE data)
/* libeet uses a signed 32bit integer to store the
* chunk size, so make sure we don't overflow it
*/
/* libeet uses a signed 32bit integer to store the
* chunk size, so make sure we don't overflow it
*/
- len = RSTRING (tag)->len + 1 + RSTRING (data)->len;
- if (len < 0 || len >= 2147483647L)
+ tag_len = RSTRING (tag)->len;
+ data_len = RSTRING (data)->len;
+ tmp = tag_len + 1 + data_len;
+
+ if (tmp < tag_len || tmp < data_len || tmp < 1 || tmp >= 2147483647L)
rb_raise (rb_eArgError, "tag or data too long");
rb_ivar_set (self, id_tag, rb_str_dup_frozen (tag));
rb_raise (rb_eArgError, "tag or data too long");
rb_ivar_set (self, id_tag, rb_str_dup_frozen (tag));