[CVE-2018-14337] Check size of the integer multiply before actual overflow

detected by AVAS

https://github.com/mruby/mruby/commit/bfd11aab35ab942363359a989712e9a6f35b9295

Change-Id: Iab964c43d43bf427dfa6f5f64653df1ae22ba56f

diff --git a/third-party/mruby/mrbgems/mruby-sprintf/src/sprintf.c b/third-party/mruby/mrbgems/mruby-sprintf/src/sprintf.c
index 7eea1a1..e9f755e 100644 (file)
--- a/third-party/mruby/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/third-party/mruby/mrbgems/mruby-sprintf/src/sprintf.c
@@ -119,13 +119,11 @@ mrb_fix2binstr(mrb_state *mrb, mrb_value x, int base)
 #define FPREC0 128
 
 #define CHECK(l) do {\
-/*  int cr = ENC_CODERANGE(result);*/\
   while ((l) >= bsiz - blen) {\
+    if (bsiz > MRB_INT_MAX/2) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \
     bsiz*=2;\
-    if (bsiz < 0) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \
   }\
   mrb_str_resize(mrb, result, bsiz);\
-/*  ENC_CODERANGE_SET(result, cr);*/\
   buf = RSTRING_PTR(result);\
 } while (0)
 
@@ -202,11 +200,10 @@ check_name_arg(mrb_state *mrb, int posarg, const char *name, mrb_int len)
 
 #define GETNUM(n, val) \
   for (; p < end && ISDIGIT(*p); p++) {\
-    mrb_int next_n = 10 * n + (*p - '0'); \
-    if (next_n / 10 != n) {\
+    if (n > MRB_INT_MAX/10) {\
       mrb_raise(mrb, E_ARGUMENT_ERROR, #val " too big"); \
     } \
-    n = next_n; \
+    n = 10 * n + (*p - '0');  \
   } \
   if (p >= end) { \
     mrb_raise(mrb, E_ARGUMENT_ERROR, "malformed format string - %*[0-9]"); \