Bug 1291

Summary: size-overflow bugs in the regex code
Product: glibc Reporter: Paul Eggert <eggert>
Component: regexAssignee: GOTO Masanori <gotom>
Status: NEW ---    
Severity: normal CC: aj, fweimer, glibc-bugs-regex, glibc-bugs
Priority: P2 Flags: fweimer: security?
Version: 2.3.5   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Bug Depends on: 1285    
Bug Blocks:    
Attachments: add some size-overflow checks to regex code

Description Paul Eggert 2005-09-02 22:51:43 UTC 
The regex code currently misbehaves badly if there's an arithmetic
overflow when calculating sizes, e.g., when doubling buffer sizes.
I'll attach a patch for all the instances of this that I found.  These
patches are conservative, in the sense that when I couldn't determine
whether an overflow was possible, I inserted a run-time check.
Comment 1 Paul Eggert 2005-09-02 22:52:15 UTC 
Created attachment 645 [details]
add some size-overflow checks to regex code
Comment 2 Paolo Bonzini 2006-04-26 07:15:53 UTC 
Just to preempt Ulrich, with whom I agree in this case, the patch as is does not
apply.

Please redo the patch without the Idx type, as it could be a good thing to have.
Comment 3 Andreas Jaeger 2012-02-06 14:08:08 UTC 
Paul, could you recreate the patch so that it applies cleanly against the current git head?
Comment 4 Andreas Jaeger 2012-12-01 16:47:23 UTC 
Paul, could you redo the patch for current glibc, please?