* array.c (rb_ary_fill): not depend on unspecified behavior at integer

overflow. reported by Vincenzo Iozzo <snagg AT openssl.it>. git-svn-id: http://svn.ruby-lang.org/repos/ruby/trunk@17570 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-06-25 06:28:53 +0000
committer: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-06-25 06:28:53 +0000
commit: bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38 (patch)
tree: ecadf10a491898b742932bc0d4a222a2897bc797 /array.c
parent: c6cb78def2ffd07a15854a66128c4d9910f014ac (diff)
download: ruby-bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38.tar.gz
ruby-bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38.tar.xz
ruby-bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/array.c b/array.c
index 783e5a5e3..7d8d40678 100644
--- a/array.c
+++ b/array.c
@@ -2145,10 +2145,10 @@ rb_ary_fill(int argc, VALUE *argv, VALUE ary)
 	break;
     }
     rb_ary_modify(ary);
-    end = beg + len;
-    if (end < 0) {
+    if (len > ARY_MAX_SIZE - beg) {
 	rb_raise(rb_eArgError, "argument too big");
     }
+    end = beg + len;
     if (RARRAY_LEN(ary) < end) {
 	if (end >= ARY_CAPA(ary)) {
 	    RESIZE_CAPA(ary, end);
author	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-06-25 06:28:53 +0000
committer	nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-06-25 06:28:53 +0000
commit	bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38 (patch)
tree	ecadf10a491898b742932bc0d4a222a2897bc797 /array.c
parent	c6cb78def2ffd07a15854a66128c4d9910f014ac (diff)
download	ruby-bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38.tar.gz ruby-bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38.tar.xz ruby-bdbedc4d4198091cdf6e2de8f7a5666dbc62cd38.zip