On 06/17/11 01:46, Jim Meyering wrote:
> + MALLOC(merged.elems, position, 2 * d->nleaves);
Hmm, aren't other buffer overruns possible in that
area, via integer overflows?
How about the additional patch given at the end of this
message? I haven't tested it because savannah grep doesn't
build out of the box for me: ./bootstrap ends with
./bootstrap: aclocal --force -I m4 ...
configure.ac:88: warning: gt_LC_MESSAGES is m4_require'd but not m4_defun'd
m4/localename.m4:7: gl_LOCALENAME is expanded from...
m4/gnulib-comp.m4:278: gl_INIT is expanded from...
and a few more lines like that (I suppose I should file
another bug report, but I'm supposed to be finishing my
grading now....). Anyway, here's the untested patch:
diff --git a/src/dfa.c b/src/dfa.c
index c32d679..38f0566 100644
--- a/src/dfa.c
+++ b/src/dfa.c
@@ -396,19 +396,20 @@ struct dfa
static void dfamust (struct dfa *dfa);
static void regexp (void);
-#define CALLOC(p, t, n) ((p) = xcalloc((size_t)(n), sizeof (t)))
-#define MALLOC(p, t, n) ((p) = xmalloc((n) * sizeof (t)))
-#define REALLOC(p, t, n) ((p) = xrealloc((p), (n) * sizeof (t)))
+#define CALLOC(p, t, n) ((p) = XCALLOC (n, t))
+#define MALLOC(p, t, n) ((p) = XNMALLOC (n, t))
+#define REALLOC(p, t, n) ((p) = xnrealloc (p, n, sizeof (t)))
/* Reallocate an array of type t if nalloc is too small for index. */
-#define REALLOC_IF_NECESSARY(p, t, nalloc, index) \
- if ((index) >= (nalloc)) \
- { \
- do \
- (nalloc) *= 2; \
- while ((index) >= (nalloc)); \
- REALLOC(p, t, nalloc); \
- }
+#define REALLOC_IF_NECESSARY(p, t, nalloc, index) \
+ do \
+ if ((nalloc) <= (index)) \
+ { \
+ size_t new_nalloc = (index) + ! (p); \
+ (p) = x2nrealloc (p, &new_nalloc, sizeof (t)); \
+ (nalloc) = new_nalloc; \
+ } \
+ while (false)
#ifdef DEBUG
