erts: Fix possible heap corruption getting atomics

Due to comparison as a signed integer, when getting an unsigned atomic
in the range 2^63-1..2^64-1 (when the most significant bit was set), the
heap could get corrupted when the integer was retrieved: hsz would get
set to zero, but the code proceeded to build a bignum.

Steps to reproduce (at least on x86_64):

   $ erl
   1> A = atomics:new(1,[{signed,false}]).
   2> atomics:put(A,1,18446744073709551615).
   3> atomics:get(A,1).

At the last step, the shell would print some garbage and hang.

2 files changed, 4 insertions, 1 deletions

diff --git a/erts/emulator/beam/erl_bif_atomics.c b/erts/emulator/beam/erl_bif_atomics.c
index 092dbb3bd3..029831bd95 100644
--- a/erts/emulator/beam/erl_bif_atomics.c
+++ b/erts/emulator/beam/erl_bif_atomics.c
@@ -133,7 +133,7 @@ static ERTS_INLINE Eterm bld_atomic(Process* proc, AtomicsRef* p,
         if ((Uint64)val <= MAX_SMALL)
             return make_small((Sint) val);
         else {
-            Uint hsz = ERTS_UINT64_HEAP_SIZE(val);
+            Uint hsz = ERTS_UINT64_HEAP_SIZE((Uint64)val);
             Eterm* hp = HAlloc(proc, hsz);
             return erts_uint64_to_big(val, &hp);
         }
diff --git a/erts/emulator/test/atomics_SUITE.erl b/erts/emulator/test/atomics_SUITE.erl
index 8c42354770..a5407c42ee 100644
--- a/erts/emulator/test/atomics_SUITE.erl
+++ b/erts/emulator/test/atomics_SUITE.erl
@@ -126,6 +126,9 @@ unsigned_limits(Config) when is_list(Config) ->
     Min = atomics:add_get(Ref, 1, 1),
     Max = atomics:sub_get(Ref, 1, 1),
 
+    atomics:put(Ref, 1, Max),
+    io:format("Max=~p~n", [atomics:get(Ref, 1)]),
+
     {'EXIT',{badarg,_}} = (catch atomics:add(Ref, 1, Max+1)),
     IncrMin = -(1 bsl (Bits-1)),
     ok = atomics:put(Ref, 1, -IncrMin),