From 895a74b4352d4fdb0b01e296df90e61255d9c3d9 Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Thu, 18 Jun 2015 22:13:36 -0700
Subject: * lib.c (cat_str): Detect overflow in the total length calculation.

---
 ChangeLog |  5 +++++
 lib.c     | 25 +++++++++++++++++++++----
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c9c19633..5d4c51f6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-18  Kaz Kylheku  <kaz@kylheku.com>
+
+	* lib.c (cat_str): Detect overflow in the total length
+	calculation.
+
 2015-06-18  Kaz Kylheku  <kaz@kylheku.com>
 
 	Improvements in equal hashing function.
diff --git a/lib.c b/lib.c
index 38eb599b..656c127e 100644
--- a/lib.c
+++ b/lib.c
@@ -2792,15 +2792,29 @@ val cat_str(val list, val sep)
     if (!item)
       continue;
     if (stringp(item)) {
-      total += c_num(length_str(item));
+      cnum ntotal = total + c_num(length_str(item));
+
       if (len_sep && cdr(iter))
-        total += len_sep;
+        ntotal += len_sep;
+
+      if (ntotal < total)
+        goto oflow;
+
+      total = ntotal;
+
       continue;
     }
     if (chrp(item)) {
-      total += 1;
+      cnum ntotal = total + 1;
+
       if (len_sep && cdr(iter))
-        total += len_sep;
+        ntotal += len_sep;
+
+      if (ntotal < total)
+        goto oflow;
+
+      total = ntotal;
+
       continue;
     }
     uw_throwf(error_s, lit("cat-str: ~s is not a character or string"),
@@ -2830,6 +2844,9 @@ val cat_str(val list, val sep)
   *ptr = 0;
 
   return string_own(str);
+
+oflow:
+  uw_throwf(error_s, lit("cat-str: string length overflow"), nao);
 }
 
 val split_str(val str, val sep)
-- 
cgit v1.2.3