* lib.c (cat_str): Detect overflow in the total length

calculation.

2 files changed, 26 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index c9c19633..5d4c51f6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2015-06-18  Kaz Kylheku  <kaz@kylheku.com>
 
+	* lib.c (cat_str): Detect overflow in the total length
+	calculation.
+
+2015-06-18  Kaz Kylheku  <kaz@kylheku.com>
+
 	Improvements in equal hashing function.
 
 	* hash.c (equal_hash): For conses and vectors, ensure that
diff --git a/lib.c b/lib.c
index 38eb599b..656c127e 100644
--- a/lib.c
+++ b/lib.c
@@ -2792,15 +2792,29 @@ val cat_str(val list, val sep)
     if (!item)
       continue;
     if (stringp(item)) {
-      total += c_num(length_str(item));
+      cnum ntotal = total + c_num(length_str(item));
+
       if (len_sep && cdr(iter))
-        total += len_sep;
+        ntotal += len_sep;
+
+      if (ntotal < total)
+        goto oflow;
+
+      total = ntotal;
+
       continue;
     }
     if (chrp(item)) {
-      total += 1;
+      cnum ntotal = total + 1;
+
       if (len_sep && cdr(iter))
-        total += len_sep;
+        ntotal += len_sep;
+
+      if (ntotal < total)
+        goto oflow;
+
+      total = ntotal;
+
       continue;
     }
     uw_throwf(error_s, lit("cat-str: ~s is not a character or string"),
@@ -2830,6 +2844,9 @@ val cat_str(val list, val sep)
   *ptr = 0;
 
   return string_own(str);
+
+oflow:
+  uw_throwf(error_s, lit("cat-str: string length overflow"), nao);
 }
 
 val split_str(val str, val sep)