diff -Naur ruby-1.8.6-p114/array.c ruby-1.8.6-p114.1/array.c --- ruby-1.8.6-p114/array.c 2007-09-07 03:46:40.000000000 -0400 +++ ruby-1.8.6-p114.1/array.c 2008-07-18 09:43:28.000000000 -0400 @@ -20,6 +20,7 @@ static ID id_cmp; #define ARY_DEFAULT_SIZE 16 +#define ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE)) void rb_mem_clear(mem, size) @@ -367,7 +368,7 @@ new_capa = ARY_DEFAULT_SIZE; } new_capa += idx; - if (new_capa * (long)sizeof(VALUE) <= new_capa) { + if (new_capa < 0 || new_capa > LONG_MAX / sizeof(VALUE)) { rb_raise(rb_eArgError, "index too big"); } REALLOC_N(RARRAY(ary)->ptr, VALUE, new_capa); @@ -976,6 +977,9 @@ if (beg >= RARRAY(ary)->len) { len = beg + rlen; + if (len < 0 || len > LONG_MAX / sizeof(VALUE)) { + rb_raise(rb_eIndexError, "index %ld too big", beg); + } if (len >= RARRAY(ary)->aux.capa) { REALLOC_N(RARRAY(ary)->ptr, VALUE, len); RARRAY(ary)->aux.capa = len; @@ -2265,6 +2269,9 @@ break; } rb_ary_modify(ary); + if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) { + rb_raise(rb_eArgError, "argument too big"); + } end = beg + len; if (end < 0) { rb_raise(rb_eArgError, "argument too big"); diff -Naur ruby-1.8.6-p114/string.c ruby-1.8.6-p114.1/string.c --- ruby-1.8.6-p114/string.c 2007-09-07 03:40:27.000000000 -0400 +++ ruby-1.8.6-p114.1/string.c 2008-07-18 09:43:28.000000000 -0400 @@ -458,10 +458,9 @@ VALUE *argv; if (TYPE(arg) == T_ARRAY) { - argv = ALLOCA_N(VALUE, RARRAY(arg)->len + 1); - argv[0] = str; - MEMCPY(argv+1, RARRAY(arg)->ptr, VALUE, RARRAY(arg)->len); - return rb_f_sprintf(RARRAY(arg)->len+1, argv); + argv = rb_ary_dup(arg); + rb_ary_unshift(argv, str); + return rb_f_sprintf(RARRAY(arg)->len+1, RARRAY(argv)->ptr); } argv = ALLOCA_N(VALUE, 2); @@ -780,6 +779,9 @@ capa = RSTRING(str)->aux.capa; } len = RSTRING(str)->len+RSTRING(str2)->len; + if (len < 0 || (capa+1) > LONG_MAX / 2) { + rb_raise(rb_eArgError, "string sizes too big"); + } if (capa <= len) { while (len > capa) { capa = (capa + 1) * 2;