Bug 1291 - size-overflow bugs in the regex code
Summary: size-overflow bugs in the regex code
Status: NEW
Alias: None
Product: glibc
Classification: Unclassified
Component: regex (show other bugs)
Version: 2.3.5
: P2 normal
Target Milestone: ---
Assignee: GOTO Masanori
URL:
Keywords:
Depends on: 1285
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-02 22:51 UTC by Paul Eggert
Modified: 2018-04-19 14:43 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security?

Attachments
add some size-overflow checks to regex code (5.50 KB, patch)
2005-09-02 22:52 UTC, Paul Eggert 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Eggert 2005-09-02 22:51:43 UTC 
The regex code currently misbehaves badly if there's an arithmetic
overflow when calculating sizes, e.g., when doubling buffer sizes.
I'll attach a patch for all the instances of this that I found.  These
patches are conservative, in the sense that when I couldn't determine
whether an overflow was possible, I inserted a run-time check.
Comment 1 Paul Eggert 2005-09-02 22:52:15 UTC 
Created attachment 645 [details]
add some size-overflow checks to regex code
Comment 2 Paolo Bonzini 2006-04-26 07:15:53 UTC 
Just to preempt Ulrich, with whom I agree in this case, the patch as is does not
apply.

Please redo the patch without the Idx type, as it could be a good thing to have.
Comment 3 Andreas Jaeger 2012-02-06 14:08:08 UTC 
Paul, could you recreate the patch so that it applies cleanly against the current git head?
Comment 4 Andreas Jaeger 2012-12-01 16:47:23 UTC 
Paul, could you redo the patch for current glibc, please?