Bug 1291 - size-overflow bugs in the regex code
Summary: size-overflow bugs in the regex code
Status: WAITING
Alias: None
Product: glibc
Classification: Unclassified
Component: regex (show other bugs)
Version: 2.3.5
: P2 normal
Target Milestone: ---
Assignee: GOTO Masanori
URL:
Keywords:
Depends on: 1285
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-02 22:51 UTC by Paul Eggert
Modified: 2012-12-01 16:47 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
add some size-overflow checks to regex code (5.50 KB, patch)
2005-09-02 22:52 UTC, Paul Eggert
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Eggert 2005-09-02 22:51:43 UTC
The regex code currently misbehaves badly if there's an arithmetic
overflow when calculating sizes, e.g., when doubling buffer sizes.
I'll attach a patch for all the instances of this that I found.  These
patches are conservative, in the sense that when I couldn't determine
whether an overflow was possible, I inserted a run-time check.
Comment 1 Paul Eggert 2005-09-02 22:52:15 UTC
Created attachment 645 [details]
add some size-overflow checks to regex code
Comment 2 Paolo Bonzini 2006-04-26 07:15:53 UTC
Just to preempt Ulrich, with whom I agree in this case, the patch as is does not
apply.

Please redo the patch without the Idx type, as it could be a good thing to have.
Comment 3 Andreas Jaeger 2012-02-06 14:08:08 UTC
Paul, could you recreate the patch so that it applies cleanly against the current git head?
Comment 4 Andreas Jaeger 2012-12-01 16:47:23 UTC
Paul, could you redo the patch for current glibc, please?