Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT

DESCRIPTION =========== Performing a pattern match of a Regex resulting into a very large string, leads to crash due to integer wraparound. ANALYSIS ======== doinsert() - The length calculated here (to copy the number of bytes) comes out to be too large to be stored in the "int" variable 'length'. We need to ensure that the variable can accommodate large lengths. FIX === 'length' in doinsert() is now defined as of type "size_t" instead of "int"

Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT
DESCRIPTION =========== Performing a pattern match of a Regex resulting into a very large string, leads to crash due to integer wraparound. ANALYSIS ======== doinsert() - The length calculated here (to copy the number of bytes) comes out to be too large to be stored in the "int" variable 'length'. We need to ensure that the variable can accommodate large lengths. FIX === 'length' in doinsert() is now defined as of type "size_t" instead of "int"
52b0c814 · Shishir Jaiswal · 8f297058 · 52b0c814
Commit 52b0c814 authored Nov 29, 2016 by Shishir Jaiswal
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

regex/regcomp.c regex/regcomp.c +1 -1

No files found.
--- a/regex/regcomp.c
+++ b/regex/regcomp.c
@@ -1449,7 +1449,7 @@ sopno pos;
 		}
 	}
 	{
-          int length=(HERE()-pos-1)*sizeof(sop);
+          size_t length=(HERE()-pos-1)*sizeof(sop);
          bmove_upp((uchar *) &p->strip[pos+1]+length,
                    (uchar *) &p->strip[pos]+length,
                    length);