From 53826be6f9a9b94eac45184a9cd94f212a80f551 Mon Sep 17 00:00:00 2001
From: Alex Shinn <ashinn@users.noreply.github.com>
Date: Wed, 1 Jan 2014 13:26:43 +0900
Subject: [PATCH] Handling potential memory overflow in random-integer with a
 bignum bound.

---
 lib/srfi/27/rand.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/srfi/27/rand.c b/lib/srfi/27/rand.c
index f1ea059e..df7b579e 100644
--- a/lib/srfi/27/rand.c
+++ b/lib/srfi/27/rand.c
@@ -51,8 +51,8 @@ static sexp sexp_rs_random_integer (sexp ctx, sexp self, sexp_sint_t n, sexp rs,
 #if SEXP_USE_BIGNUMS
   } else if (sexp_bignump(bound)) {
     hi = sexp_bignum_hi(bound);
-    len = hi * sizeof(sexp_uint_t) / sizeof(int32_t);
-    res = sexp_make_bignum(ctx, hi);
+    len = hi * (sizeof(sexp_uint_t) / sizeof(int32_t));
+    res = sexp_make_bignum(ctx, hi + 1);
     data = (int32_t*) sexp_bignum_data(res);
     for (i=0; i<len-1; i++) {
       sexp_call_random(rs, m);