Bug 1291 - size-overflow bugs in the regex code
Summary: size-overflow bugs in the regex code
Alias: None
Product: glibc
Classification: Unclassified
Component: regex (show other bugs)
Version: 2.3.5
: P2 normal
Target Milestone: ---
Assignee: GOTO Masanori
Depends on: 1285
  Show dependency treegraph
Reported: 2005-09-02 22:51 UTC by Paul Eggert
Modified: 2012-12-01 16:47 UTC (History)
3 users (show)

See Also:
Last reconfirmed:

add some size-overflow checks to regex code (5.50 KB, patch)
2005-09-02 22:52 UTC, Paul Eggert
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Eggert 2005-09-02 22:51:43 UTC
The regex code currently misbehaves badly if there's an arithmetic
overflow when calculating sizes, e.g., when doubling buffer sizes.
I'll attach a patch for all the instances of this that I found.  These
patches are conservative, in the sense that when I couldn't determine
whether an overflow was possible, I inserted a run-time check.
Comment 1 Paul Eggert 2005-09-02 22:52:15 UTC
Created attachment 645 [details]
add some size-overflow checks to regex code
Comment 2 Paolo Bonzini 2006-04-26 07:15:53 UTC
Just to preempt Ulrich, with whom I agree in this case, the patch as is does not

Please redo the patch without the Idx type, as it could be a good thing to have.
Comment 3 Andreas Jaeger 2012-02-06 14:08:08 UTC
Paul, could you recreate the patch so that it applies cleanly against the current git head?
Comment 4 Andreas Jaeger 2012-12-01 16:47:23 UTC
Paul, could you redo the patch for current glibc, please?