Thanks for fixing that bug, which I introduced. I added the attached
change to fix the comment (which I also wrote) that led me astray.
>From 59f3fac48e8b5456f4e0a45dfd99fba38d8b7af5 Mon Sep 17 00:00:00 2001
From: Paul Eggert <[email protected]>
Date: Thu, 24 Apr 2014 12:49:58 -0700
Subject: [PATCH] dfa: fix incorrect comment that led to heap overrun
* dfa.c (maybe_realloc): Fix comment to match behavior.
---
src/dfa.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/dfa.c b/src/dfa.c
index 8fc3d6f..f9938b0 100644
--- a/src/dfa.c
+++ b/src/dfa.c
@@ -624,10 +624,14 @@ equal (charclass const s1, charclass const s2)
return memcmp (s1, s2, sizeof (charclass)) == 0;
}
-/* If needed, reallocate *PTR so that it holds at least NITEMS items.
- The array holds *NALLOC items; *NALLOC is updated on reallocation.
- ITEMSIZE is the size of one item. Avoid O(N**2) behavior on arrays
- growing linearly. */
+/* Ensure that the array addressed by PTR holds at least NITEMS +
+ (PTR || !NITEMS) items. Either return PTR, or reallocate the array
+ and return its new address. Although PTR may be null, the returned
+ value is never null.
+
+ The array holds *NALLOC items; *NALLOC must be zero if PTR is null,
+ and is updated on reallocation. ITEMSIZE is the size of one item.
+ Avoid O(N**2) behavior on arrays growing linearly. */
static void *
maybe_realloc (void *ptr, size_t nitems, size_t *nalloc, size_t itemsize)
{
--
1.9.0
