From ff0366ac3249b1a25813921e1af9346f345fd4a3 Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Mon, 12 Jun 2017 06:46:10 -0700
Subject: ffi: fix carray multiplication overflow checks.

* ffi.c (carray_dup): Do size multiplication using unsigned
type, then coerce back to signed. Check for overflow correctly
by first testing result for negative, then doing division check.
(carray_replace): Add check for negative size, which confirms
overflow.
---
 ffi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ffi.c b/ffi.c
index 9dc0bb3a..36b4ce07 100644
--- a/ffi.c
+++ b/ffi.c
@@ -4352,10 +4352,10 @@ val carray_dup(val carray)
               self, carray, nao);
   } else {
     cnum elsize = scry->eltft->size;
-    cnum size = scry->nelem * elsize;
+    cnum size = (ucnum) scry->nelem * (ucnum) elsize;
     mem_t *dup = chk_copy_obj(scry->data, scry->nelem * scry->eltft->size);
 
-    if (size < scry->nelem || size < elsize)
+    if (size < 0 || (elsize > 0 && size / elsize != scry->nelem))
       uw_throwf(error_s, lit("~a: array size overflow"), self, nao);
 
     carray->co.ops = &carray_owned_ops;
@@ -4655,7 +4655,7 @@ val carray_replace(val carray, val values, val from, val to)
     if (sn > ln)
       sn = ln;
 
-    if ((ln != 0 && size / elsize != ln) || (sn < fn))
+    if (size < 0 || (ln != 0 && size / elsize != ln) || (sn < fn))
       uw_throwf(error_s, lit("~a: array size overflow"), self, nao);
 
     ptr = scry->data + fn * elsize;
-- 
cgit v1.2.3