diff options
author | Jan Kotas <jkotas@microsoft.com> | 2018-10-31 13:43:20 -0700 |
---|---|---|
committer | Jan Kotas <jkotas@microsoft.com> | 2018-10-31 17:36:56 -0700 |
commit | 8aa5101cea45183e882326f465007909d1b862a0 (patch) | |
tree | e5ed89714dca4d3a43f31cab7c6deb745259420d | |
parent | 92ea7612b2f33f2a69177846314be1d8ecfcf0cc (diff) | |
download | coreclr-8aa5101cea45183e882326f465007909d1b862a0.tar.gz coreclr-8aa5101cea45183e882326f465007909d1b862a0.tar.bz2 coreclr-8aa5101cea45183e882326f465007909d1b862a0.zip |
Detect integer overflow in String.Replace
Fixes #20719
-rw-r--r-- | src/System.Private.CoreLib/shared/System/Text/StringBuilder.cs | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/System.Private.CoreLib/shared/System/Text/StringBuilder.cs b/src/System.Private.CoreLib/shared/System/Text/StringBuilder.cs index ef84d90027..904166f908 100644 --- a/src/System.Private.CoreLib/shared/System/Text/StringBuilder.cs +++ b/src/System.Private.CoreLib/shared/System/Text/StringBuilder.cs @@ -2088,7 +2088,10 @@ namespace System.Text fixed (char* valuePtr = value) { // calculate the total amount of extra space or space needed for all the replacements. - int delta = (value.Length - removeCount) * replacementsCount; + long longDelta = (value.Length - removeCount) * (long)replacementsCount; + int delta = (int)longDelta; + if (delta != longDelta) + throw new OutOfMemoryException(); StringBuilder targetChunk = sourceChunk; // the target as we copy chars down int targetIndexInChunk = replacements[0]; |