From de742bb6eb202c5a524bab3617a2ede918598705 Mon Sep 17 00:00:00 2001
From: Sverker Eriksson <sverker@erlang.org>
Date: Mon, 20 Feb 2012 19:53:32 +0100
Subject: erts: Fail binary_to_term if bignum arity is too large

---
 erts/emulator/beam/external.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'erts/emulator/beam/external.c')

diff --git a/erts/emulator/beam/external.c b/erts/emulator/beam/external.c
index 152dbcf085..9d52ed4e98 100644
--- a/erts/emulator/beam/external.c
+++ b/erts/emulator/beam/external.c
@@ -3118,6 +3118,9 @@ decoded_size(byte *ep, byte* endp, int internal_tags)
 	case LARGE_BIG_EXT:
 	    CHKSIZE(4);
 	    n = get_int32(ep);
+	    if (n > BIG_ARITY_MAX*sizeof(ErtsDigit)) {
+		return -1;
+	    }
 	    SKIP2(n,4+1);		/* skip, size,sign,digits */
 	    heap_size += 1+1+(n+sizeof(Eterm)-1)/sizeof(Eterm); /* XXX: 1 too much? */
 	    break;
-- 
cgit v1.2.3