Commit 52b0c814 authored by Shishir Jaiswal's avatar Shishir Jaiswal

Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT

DESCRIPTION
===========
Performing a pattern match of a Regex resulting into a very
large string, leads to crash due to integer wraparound.

ANALYSIS
========
doinsert() - The length calculated here (to copy the
number of bytes) comes out to be too large to be stored in
the "int" variable 'length'. We need to ensure that the
variable can accommodate large lengths.

FIX
===
'length' in doinsert() is now defined as of type "size_t"
instead of "int"
parent 8f297058
...@@ -1449,7 +1449,7 @@ sopno pos; ...@@ -1449,7 +1449,7 @@ sopno pos;
} }
} }
{ {
int length=(HERE()-pos-1)*sizeof(sop); size_t length=(HERE()-pos-1)*sizeof(sop);
bmove_upp((uchar *) &p->strip[pos+1]+length, bmove_upp((uchar *) &p->strip[pos+1]+length,
(uchar *) &p->strip[pos]+length, (uchar *) &p->strip[pos]+length,
length); length);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment