Commit 4618713a authored by Paul Eggert's avatar Paul Eggert
Browse files

Avoid undefined behavior with huge regexp interval counts.

* regex.c (GET_INTERVAL_COUNT): Rename from 'GET_UNSIGNED_NUMBER',
since it's now specialized to interval counts.	All uses changed.
Do not assume wrapraound on signed integer overflow.
(regex_compile): Simplify based on the above changes.
parent 01633a17
2013-12-12 Paul Eggert <eggert@cs.ucla.edu>
Avoid undefined behavior with huge regexp interval counts.
* regex.c (GET_INTERVAL_COUNT): Rename from 'GET_UNSIGNED_NUMBER',
since it's now specialized to interval counts. All uses changed.
Do not assume wrapraound on signed integer overflow.
(regex_compile): Simplify based on the above changes.
2013-12-12 Eli Zaretskii <eliz@gnu.org>
Support file names on MS-Windows that use characters outside of
......
......@@ -1989,7 +1989,7 @@ struct range_table_work_area
#endif /* emacs */
/* Get the next unsigned number in the uncompiled pattern. */
#define GET_UNSIGNED_NUMBER(num) \
#define GET_INTERVAL_COUNT(num) \
do { \
if (p == pend) \
FREE_STACK_RETURN (REG_EBRACE); \
......@@ -1998,13 +1998,11 @@ struct range_table_work_area
PATFETCH (c); \
while ('0' <= c && c <= '9') \
{ \
int prev; \
if (num < 0) \
num = 0; \
prev = num; \
num = num * 10 + c - '0'; \
if (num / 10 != prev) \
if (RE_DUP_MAX / 10 - (RE_DUP_MAX % 10 < c - '0') < num) \
FREE_STACK_RETURN (REG_BADBR); \
num = num * 10 + c - '0'; \
if (p == pend) \
FREE_STACK_RETURN (REG_EBRACE); \
PATFETCH (c); \
......@@ -3310,18 +3308,18 @@ regex_compile (const_re_char *pattern, size_t size, reg_syntax_t syntax,
beg_interval = p;
GET_UNSIGNED_NUMBER (lower_bound);
GET_INTERVAL_COUNT (lower_bound);
if (c == ',')
GET_UNSIGNED_NUMBER (upper_bound);
{
GET_INTERVAL_COUNT (upper_bound);
if (upper_bound < lower_bound)
FREE_STACK_RETURN (REG_BADBR);
}
else
/* Interval such as `{1}' => match exactly once. */
upper_bound = lower_bound;
if (lower_bound < 0 || upper_bound > RE_DUP_MAX
|| (upper_bound >= 0 && lower_bound > upper_bound))
FREE_STACK_RETURN (REG_BADBR);
if (!(syntax & RE_NO_BK_BRACES))
{
if (c != '\\')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment