diff --git a/ChangeLog b/ChangeLog index 96371042d3..a3f9b6a132 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Tue Feb 26 16:41:27 2008 Nobuyoshi Nakada + + * array.c (combi_len, rb_ary_product): check for overflow. + [ruby-Bugs-18355] + Tue Feb 26 16:38:10 2008 Nobuyoshi Nakada * array.c (recursive_cmp): compare minimal length parts. diff --git a/array.c b/array.c index 2832c838ca..5564f697a1 100644 --- a/array.c +++ b/array.c @@ -3072,7 +3072,11 @@ combi_len(long n, long k) if (k < 0) return 0; val = 1; for (i=1; i <= k; i++,n--) { + long m = val; val *= n; + if (val < m) { + rb_raise(rb_eRangeError, "too big for combination"); + } val /= i; } return val; @@ -3185,8 +3189,12 @@ rb_ary_product(int argc, VALUE *argv, VALUE ary) /* Compute the length of the result array; return [] if any is empty */ for (i = 0; i < n; i++) { - resultlen *= RARRAY_LEN(arrays[i]); - if (resultlen == 0) return rb_ary_new2(0); + long k = RARRAY_LEN(arrays[i]), l = resultlen; + if (k == 0) return rb_ary_new2(0); + resultlen *= k; + if (resultlen < k || resultlen < l || resultlen / k != l) { + rb_raise(rb_eRangeError, "too big to product"); + } } /* Otherwise, allocate and fill in an array of results */