From 7dc634268cb7e33b02462667c1827e7dc146c4ad Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Sat, 17 Jun 2017 09:02:52 -0700
Subject: ash: check range of bits argument.

mp_shift takes an int argument, but we decode bits to
a cnum, leaving possible room for overflow, such as
when cnum is 64 bits and int is 32. If the value

* arith.c (ash): Check that the value is in the range
of INT_MIN to INT_MAX.
---
 arith.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arith.c b/arith.c
index 93341d3c..8f268f95 100644
--- a/arith.c
+++ b/arith.c
@@ -2446,6 +2446,8 @@ val ash(val a, val bits)
       a = bignum(an);
       /* fallthrough */
     case BGNUM:
+      if (bn < INT_MIN || bn > INT_MAX)
+        goto bad4;
       b = make_bignum();
       if (mp_shift(mp(a), mp(b), bn) != MP_OKAY)
         goto bad;
@@ -2480,6 +2482,9 @@ bad2:
 
 bad3:
   uw_throwf(error_s, lit("ash: non-integral operand ~s"), a, nao);
+
+bad4:
+  uw_throwf(error_s, lit("ash: bit value too large ~s"), bits, nao);
 }
 
 val bit(val a, val bit)
-- 
cgit v1.2.3