CVS commit: [netbsd-6-0] src/lib/libc/regex

Sat, 21 Feb 2015 04:58:48 -0800 

Module Name:    src
Committed By:   martin
Date:           Sat Feb 21 12:58:01 UTC 2015

Modified Files:
        src/lib/libc/regex [netbsd-6-0]: regcomp.c

Log Message:
Apply patch, requested by joerg in ticket #1257:

        lib/libc/regex/regcomp.c (patch)

Fix a multiplication overflow in allocation, which has been fixed
differently in rev. 1.34 in -current.


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.32.6.1 src/lib/libc/regex/regcomp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/lib/libc/regex/regcomp.c
diff -u src/lib/libc/regex/regcomp.c:1.32 src/lib/libc/regex/regcomp.c:1.32.6.1
--- src/lib/libc/regex/regcomp.c:1.32	Tue Nov  8 19:25:45 2011
+++ src/lib/libc/regex/regcomp.c	Sat Feb 21 12:58:01 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: regcomp.c,v 1.32 2011/11/08 19:25:45 christos Exp $	*/
+/*	$NetBSD: regcomp.c,v 1.32.6.1 2015/02/21 12:58:01 martin Exp $	*/
 
 /*-
  * Copyright (c) 1992, 1993, 1994
@@ -76,7 +76,7 @@
 #if 0
 static char sccsid[] = "@(#)regcomp.c	8.5 (Berkeley) 3/20/94";
 #else
-__RCSID("$NetBSD: regcomp.c,v 1.32 2011/11/08 19:25:45 christos Exp $");
+__RCSID("$NetBSD: regcomp.c,v 1.32.6.1 2015/02/21 12:58:01 martin Exp $");
 #endif
 #endif /* LIBC_SCCS and not lint */
 
@@ -261,12 +261,15 @@ regcomp(
 	} else
 		len = strlen(pattern);
 
+	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
+	if (p->ssize > SIZE_MAX / sizeof(sop))
+		return(REG_ESPACE);
+
 	/* do the mallocs early so failure handling is easy */
 	g = (struct re_guts *)malloc(sizeof(struct re_guts) +
 							(NC-1)*sizeof(cat_t));
 	if (g == NULL)
 		return(REG_ESPACE);
-	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
 	p->strip = malloc(p->ssize * sizeof(sop));
 	p->slen = 0;
 	if (p->strip == NULL) {
@@ -1243,7 +1246,7 @@ allocset(
 		nc = p->ncsalloc;
 		assert(nc % CHAR_BIT == 0);
 		nbytes = nc / CHAR_BIT * css;
-		if (MEMSIZE(p) > MEMLIMIT)
+		if (MEMSIZE(p) > MEMLIMIT || nc > SIZE_MAX / sizeof(cset))
 			goto oomem;
 		if (p->g->sets == NULL)
 			p->g->sets = malloc(nc * sizeof(cset));
@@ -1773,7 +1776,7 @@ enlarge(
 
 	osize = p->ssize;
 	p->ssize = size;
-	if (MEMSIZE(p) > MEMLIMIT)
+	if (MEMSIZE(p) > MEMLIMIT || p->ssize > SIZE_MAX / sizeof(sop))
 		goto oomem;
 	sp = realloc(p->strip, p->ssize * sizeof(sop));
 	if (sp == NULL) {
@@ -1800,6 +1803,11 @@ stripsnug(
 	_DIAGASSERT(g != NULL);
 
 	g->nstates = p->slen;
+	if (p->slen > SIZE_MAX / sizeof(sop)) {
+		SETERROR(REG_ESPACE);
+		g->strip = p->strip;
+		return;
+	}
 	g->strip = realloc(p->strip, p->slen * sizeof(sop));
 	if (g->strip == NULL) {
 		SETERROR(REG_ESPACE);

Reply via email to