On Sun, May 17, 2026 at 11:24:52AM +0200, Renaud Allard wrote:
> From: Renaud Allard <[email protected]>
> To: Theo Buehler <[email protected]>
> Cc: [email protected]
> Subject: Re: lex(1): signed integer overflow in repetition count
> Date: Sun, 17 May 2026 11:24:52 +0200
>
> Sorry about that. doxygen's pre.l uses {0,1000} on several string
> patterns (lines 642, 645, 658, 668, 685), which exceeds OpenBSD's
> RE_DUP_MAX at 255.
>
> The UBSan trigger I was originally fixing is "lb - 1" wrapping when
> lb is INT_MIN (sscanf("%d") clamps overflow that way on OpenBSD).
> That only requires forbidding negative values, not capping at 255.
> The grammars-too-large case is already caught downstream by the
> "input rules are too complicated" check in mkstate().
>
> Minimal follow-up that keeps the overflow guard but drops the cap:
>
Here is the correct one rebased on 1.14 after the revert:
Index: usr.bin/lex/nfa.c
===================================================================
RCS file: /cvs/src/usr.bin/lex/nfa.c,v
retrieving revision 1.14
diff -u -p -r1.14 nfa.c
--- usr.bin/lex/nfa.c 17 May 2026 15:32:55 -0000 1.14
+++ usr.bin/lex/nfa.c
@@ -554,6 +554,9 @@ mkrep(int mach, int lb, int ub)
{
int base_mach, tail, copy, i;
+ if (lb < 0 || (ub < 0 && ub != INFINITE_REPEAT))
+ flexfatal(_("negative repetition value"));
+
base_mach = copysingl(mach, lb - 1);
if (ub == INFINITE_REPEAT) {
> Verified on amd64, i386, and arm64 against doxygen and the original
> issue.
>
OK?
