Mercurial > hg > octave-nkf > gnulib-hg
diff lib/regex_internal.h @ 6206:ca2f5d46eeb6
Check for arithmetic overflow when calculating sizes, to prevent
some buffer-overflow issues. These patches are conservative, in the
sense that when I couldn't determine whether an overflow was possible,
I inserted a run-time check.
* regex_internal.h (re_xmalloc, re_xrealloc, re_x2realloc): New macros.
(SIZE_MAX) [!defined SIZE_MAX]: New macro.
(re_alloc_oversized, re_x2alloc_oversized, re_xnmalloc):
(re_xnrealloc, re_x2nrealloc): New inline functions.
* lib/regcomp.c (init_dfa, analyze, build_range_exp, parse_bracket_exp):
(build_equiv_class, build_charclass): Check for arithmetic overflow
in size expression calculations.
* lib/regex_internal.c (re_string_realloc_buffers):
(build_wcs_upper_buffer, re_node_set_add_intersect):
(re_node_set_init_union, re_node_set_insert, re_node_set_insert_last):
(re_dfa_add_node, register_state): Likewise.
* lib/regexec.c (re_search_stub, re_copy_regs, re_search_internal):
(prune_impossible_nodes, push_fail_stack, set_regs, check_arrival):
(build_trtable, extend_buffers, match_ctx_init, match_ctx_add_entry):
(match_ctx_add_subtop, match_ctx_add_sublast): Likewise.
| author | Paul Eggert <eggert@cs.ucla.edu> |
|---|---|
| date | Fri, 02 Sep 2005 22:54:59 +0000 |
| parents | 25eaa608fc4e |
| children | afb93b90dcb8 |
line wrap: on
line diff
--- a/lib/regex_internal.h +++ b/lib/regex_internal.h @@ -442,10 +442,70 @@ #endif #define re_malloc(t,n) ((t *) malloc ((n) * sizeof (t))) +#define re_xmalloc(t,n) ((t *) re_xnmalloc (n, sizeof (t))) #define re_calloc(t,n) ((t *) calloc (n, sizeof (t))) #define re_realloc(p,t,n) ((t *) realloc (p, (n) * sizeof (t))) +#define re_xrealloc(p,t,n) ((t *) re_xnrealloc (p, n, sizeof (t))) +#define re_x2realloc(p,t,pn) ((t *) re_x2nrealloc (p, pn, sizeof (t))) #define re_free(p) free (p) +#ifndef SIZE_MAX +# define SIZE_MAX ((size_t) -1) +#endif + +/* Return true if an array of N objects, each of size S, cannot exist + due to size arithmetic overflow. S must be nonzero. */ +static inline bool +re_alloc_oversized (size_t n, size_t s) +{ + return BE (SIZE_MAX / s < n, 0); +} + +/* Return true if an array of (2 * N + 1) objects, each of size S, + cannot exist due to size arithmetic overflow. S must be nonzero. */ +static inline bool +re_x2alloc_oversized (size_t n, size_t s) +{ + return BE ((SIZE_MAX / s - 1) / 2 < n, 0); +} + +/* Allocate an array of N objects, each with S bytes of memory, + dynamically, with error checking. S must be nonzero. */ +static inline void * +re_xnmalloc (size_t n, size_t s) +{ + return re_alloc_oversized (n, s) ? NULL : malloc (n * s); +} + +/* Change the size of an allocated block of memory P to an array of N + objects each of S bytes, with error checking. S must be nonzero. */ +static inline void * +re_xnrealloc (void *p, size_t n, size_t s) +{ + return re_alloc_oversized (n, s) ? NULL : realloc (p, n * s); +} + +/* Reallocate a block of memory P to an array of (2 * (*PN) + 1) + objects each of S bytes, with error checking. S must be nonzero. + If the allocation is successful, set *PN to the new allocation + count and return the resulting pointer. Otherwise, return + NULL. */ +static inline void * +re_x2nrealloc (void *p, size_t *pn, size_t s) +{ + if (re_x2alloc_oversized (*pn, s)) + return NULL; + else + { + /* Add 1 in case *PN is zero. */ + size_t n1 = 2 * *pn + 1; + p = realloc (p, n1 * s); + if (BE (p != NULL, 1)) + *pn = n1; + return p; + } +} + struct bin_tree_t { struct bin_tree_t *parent;