[runtime] Fix string size calculation in `mono_string_new_size()`.

This bug is not hit when doing managed allocations with SGen because the
managed allocator catches it.  It can be triggered with the embedding API, as
well as when the heavy binary protocol is enabled, in which case `bug-17590`
fails.

diff --git a/mono/metadata/object.c b/mono/metadata/object.c
index d69dfafe1cfa21e05d044fe18f08a055a81bd597..913e94f3c3116d20d01d495fda8236f400bf0668 100644 (file)
--- a/mono/metadata/object.c
+++ b/mono/metadata/object.c
@@ -5060,7 +5060,7 @@ mono_string_new_size (MonoDomain *domain, gint32 len)
        if (len < 0 || len > ((SIZE_MAX - G_STRUCT_OFFSET (MonoString, chars) - 2) / 2))
                mono_gc_out_of_memory (-1);
 
-       size = (G_STRUCT_OFFSET (MonoString, chars) + ((len + 1) * 2));
+       size = (G_STRUCT_OFFSET (MonoString, chars) + (((size_t)len + 1) * 2));
        g_assert (size > 0);
 
        vtable = mono_class_vtable (domain, mono_defaults.string_class);