From d310db1e8895cbc4d65d5e7cfef7cdcbfa21edd1 Mon Sep 17 00:00:00 2001
From: David Renshaw <dwrenshaw@gmail.com>
Date: Thu, 13 May 2021 17:49:01 -0400
Subject: [PATCH] Prevent potential integer overflow in
 BuilderArena.allocate().

---
 runtime/src/main/java/org/capnproto/BuilderArena.java | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/runtime/src/main/java/org/capnproto/BuilderArena.java b/runtime/src/main/java/org/capnproto/BuilderArena.java
index 37dc774..0323fad 100644
--- a/runtime/src/main/java/org/capnproto/BuilderArena.java
+++ b/runtime/src/main/java/org/capnproto/BuilderArena.java
@@ -87,6 +87,10 @@ public final class BuilderArena implements Arena {
         }
     }
 
+    /**
+     *  Allocates `amount` words in an existing segment or, if no suitable segment
+     *  exists, in a new segment.
+     */
     public AllocateResult allocate(int amount) {
         int len = this.segments.size();
 
@@ -97,6 +101,10 @@ public final class BuilderArena implements Arena {
                 return new AllocateResult(this.segments.get(len - 1), result);
             }
         }
+        if (amount >= 1 << 28) {
+            // Computing `amount * Constants.BYTES_PER_WORD` would overflow.
+            throw new RuntimeException("Too many words to allocate: " + amount);
+        }
         SegmentBuilder newSegment = new SegmentBuilder(
             this.allocator.allocateSegment(amount * Constants.BYTES_PER_WORD),
             this);