[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
glibc regex.c mishandles integer overflow in interval expressions
From: |
Paul Eggert |
Subject: |
glibc regex.c mishandles integer overflow in interval expressions |
Date: |
Wed, 21 Mar 2001 18:53:27 -0800 (PST) |
glibc regex.c doesn't detect integer overflow in interval expressions.
Here's a shell script illustrating the bug, using GNU grep compiled
with glibc regexp on a 32-bit host:
$ echo abc | egrep 'ab{4294967297}c'
abc
egrep should report an overflow, but regex.c silently substitutes 1
for 4294967297.
I found this bug while merging the '{'-handling code of GNU grep into
glibc. I'll submit a patch for that more important issue soon. The
two problems are somewhat related, since GNU egrep extends POSIX
slightly, and in some cases treats '{4294967297}' as if it were
'\{4294967297\}' for backward compatibility reasons. However, this
overflow fix is separable from the other patch.
2001-03-21 Paul Eggert <address@hidden>
* posix/regex.c (GET_UNSIGNED_NUMBER): Check for overflow.
Rewrite to avoid duplicate code.
===================================================================
RCS file: regex.c,v
retrieving revision 1.91
retrieving revision 1.91.0.1
diff -pu -r1.91 -r1.91.0.1
--- regex.c 2001/02/15 21:23:10 1.91
+++ regex.c 2001/03/22 02:42:43 1.91.0.1
@@ -2139,20 +2139,20 @@ typedef struct
/* Get the next unsigned number in the uncompiled pattern. */
#define GET_UNSIGNED_NUMBER(num) \
- { if (p != pend) \
- { \
- PATFETCH (c); \
- while ('0' <= c && c <= '9') \
- { \
- if (num < 0)
\
- num = 0; \
- num = num * 10 + c - '0'; \
- if (p == pend) \
- break; \
- PATFETCH (c); \
- } \
- } \
- }
+ { \
+ while (p != pend) \
+ {
\
+ PATFETCH (c); \
+ if (! ('0' <= c && c <= '9')) \
+ break; \
+ if (num <= RE_DUP_MAX) \
+ { \
+ if (num < 0) \
+ num = 0; \
+ num = num * 10 + c - '0'; \
+ } \
+ }
\
+ }
#if defined _LIBC || WIDE_CHAR_SUPPORT
/* The GNU C library provides support for user-defined character classes
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- glibc regex.c mishandles integer overflow in interval expressions,
Paul Eggert <=