From 6c4f549708e146d8c90d0c143af6e5ead5278787 Mon Sep 17 00:00:00 2001
From: Ben Maurer <benm@mono-cvs.ximian.com>
Date: Mon, 6 Sep 2004 12:33:38 +0000
Subject: [PATCH] 2004-09-06 Ben Maurer  <bmaurer@users.sourceforge.net>

	* object.c: When allocating an array, we have to throw
	an overflow exception if any of the lengths are < 0.

svn path=/trunk/mono/; revision=33391
---
 mono/metadata/ChangeLog |  5 +++++
 mono/metadata/object.c  | 15 +++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/mono/metadata/ChangeLog b/mono/metadata/ChangeLog
index 2bd55c5745e..137421eda3c 100644
--- a/mono/metadata/ChangeLog
+++ b/mono/metadata/ChangeLog
@@ -1,3 +1,8 @@
+2004-09-06 Ben Maurer  <bmaurer@users.sourceforge.net>
+
+	* object.c: When allocating an array, we have to throw
+	an overflow exception if any of the lengths are < 0.
+
 2004-09-06  Zoltan Varga  <vargaz@freemail.hu>
 
 	* marshal.h marshal.c: Free unmanaged memory allocated by managed code
diff --git a/mono/metadata/object.c b/mono/metadata/object.c
index 49e67258f46..2070e3ffcb9 100644
--- a/mono/metadata/object.c
+++ b/mono/metadata/object.c
@@ -1654,6 +1654,12 @@ mono_runtime_invoke_array (MonoMethod *method, void *obj, MonoArray *params,
 	}
 }
 
+static void
+arith_overflow ()
+{
+	mono_raise_exception (mono_get_exception_overflow ());
+}
+
 /**
  * mono_object_allocate:
  * @size: number of bytes to allocate
@@ -1944,12 +1950,18 @@ mono_array_new_full (MonoDomain *domain, MonoClass *array_class,
 	    (lower_bounds == NULL || lower_bounds [0] == 0)) {
 		bounds = NULL;
 		len = lengths [0];
+		if ((int) len < 0)
+			arith_overflow ();
 	} else {
 	#if HAVE_BOEHM_GC
 		bounds = GC_MALLOC (sizeof (MonoArrayBounds) * array_class->rank);
 	#else
 		bounds = g_malloc0 (sizeof (MonoArrayBounds) * array_class->rank);
 	#endif
+		for (i = 0; i < array_class->rank; ++i)
+			if ((int) lengths [i] < 0)
+				arith_overflow ();
+		
 		for (i = 0; i < array_class->rank; ++i) {
 			bounds [i].length = lengths [i];
 			if (CHECK_MUL_OVERFLOW_UN (len, lengths [i]))
@@ -2033,6 +2045,9 @@ mono_array_new_specific (MonoVTable *vtable, guint32 n)
 
 	MONO_ARCH_SAVE_REGS;
 
+	if ((int) n < 0)
+		arith_overflow ();
+	
 	elem_size = mono_array_element_size (vtable->klass);
 	if (CHECK_MUL_OVERFLOW_UN (n, elem_size))
 		mono_gc_out_of_memory (MYGUINT32_MAX);
-- 
2.11.4.GIT