diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2005-09-02 22:54:59 +0000 |
---|---|---|
committer | Paul Eggert <eggert@cs.ucla.edu> | 2005-09-02 22:54:59 +0000 |
commit | 812cbebee227d7a1fbf79e432f35dc77f4e39c65 (patch) | |
tree | dd022e1dfe953760dcf69682784204e4e0d5f168 /lib/regex_internal.h | |
parent | f1549d4b3cca20e5b6943a114fc6d1e936bc9f30 (diff) | |
download | gnulib-812cbebee227d7a1fbf79e432f35dc77f4e39c65.tar.gz |
Check for arithmetic overflow when calculating sizes, to prevent
some buffer-overflow issues. These patches are conservative, in the
sense that when I couldn't determine whether an overflow was possible,
I inserted a run-time check.
* regex_internal.h (re_xmalloc, re_xrealloc, re_x2realloc): New macros.
(SIZE_MAX) [!defined SIZE_MAX]: New macro.
(re_alloc_oversized, re_x2alloc_oversized, re_xnmalloc):
(re_xnrealloc, re_x2nrealloc): New inline functions.
* lib/regcomp.c (init_dfa, analyze, build_range_exp, parse_bracket_exp):
(build_equiv_class, build_charclass): Check for arithmetic overflow
in size expression calculations.
* lib/regex_internal.c (re_string_realloc_buffers):
(build_wcs_upper_buffer, re_node_set_add_intersect):
(re_node_set_init_union, re_node_set_insert, re_node_set_insert_last):
(re_dfa_add_node, register_state): Likewise.
* lib/regexec.c (re_search_stub, re_copy_regs, re_search_internal):
(prune_impossible_nodes, push_fail_stack, set_regs, check_arrival):
(build_trtable, extend_buffers, match_ctx_init, match_ctx_add_entry):
(match_ctx_add_subtop, match_ctx_add_sublast): Likewise.
Diffstat (limited to 'lib/regex_internal.h')
-rw-r--r-- | lib/regex_internal.h | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/lib/regex_internal.h b/lib/regex_internal.h index 3c17fc3c9d..b1d79ef9dc 100644 --- a/lib/regex_internal.h +++ b/lib/regex_internal.h @@ -442,10 +442,70 @@ static unsigned int re_string_context_at (const re_string_t *input, #endif #define re_malloc(t,n) ((t *) malloc ((n) * sizeof (t))) +#define re_xmalloc(t,n) ((t *) re_xnmalloc (n, sizeof (t))) #define re_calloc(t,n) ((t *) calloc (n, sizeof (t))) #define re_realloc(p,t,n) ((t *) realloc (p, (n) * sizeof (t))) +#define re_xrealloc(p,t,n) ((t *) re_xnrealloc (p, n, sizeof (t))) +#define re_x2realloc(p,t,pn) ((t *) re_x2nrealloc (p, pn, sizeof (t))) #define re_free(p) free (p) +#ifndef SIZE_MAX +# define SIZE_MAX ((size_t) -1) +#endif + +/* Return true if an array of N objects, each of size S, cannot exist + due to size arithmetic overflow. S must be nonzero. */ +static inline bool +re_alloc_oversized (size_t n, size_t s) +{ + return BE (SIZE_MAX / s < n, 0); +} + +/* Return true if an array of (2 * N + 1) objects, each of size S, + cannot exist due to size arithmetic overflow. S must be nonzero. */ +static inline bool +re_x2alloc_oversized (size_t n, size_t s) +{ + return BE ((SIZE_MAX / s - 1) / 2 < n, 0); +} + +/* Allocate an array of N objects, each with S bytes of memory, + dynamically, with error checking. S must be nonzero. */ +static inline void * +re_xnmalloc (size_t n, size_t s) +{ + return re_alloc_oversized (n, s) ? NULL : malloc (n * s); +} + +/* Change the size of an allocated block of memory P to an array of N + objects each of S bytes, with error checking. S must be nonzero. */ +static inline void * +re_xnrealloc (void *p, size_t n, size_t s) +{ + return re_alloc_oversized (n, s) ? NULL : realloc (p, n * s); +} + +/* Reallocate a block of memory P to an array of (2 * (*PN) + 1) + objects each of S bytes, with error checking. S must be nonzero. + If the allocation is successful, set *PN to the new allocation + count and return the resulting pointer. Otherwise, return + NULL. */ +static inline void * +re_x2nrealloc (void *p, size_t *pn, size_t s) +{ + if (re_x2alloc_oversized (*pn, s)) + return NULL; + else + { + /* Add 1 in case *PN is zero. */ + size_t n1 = 2 * *pn + 1; + p = realloc (p, n1 * s); + if (BE (p != NULL, 1)) + *pn = n1; + return p; + } +} + struct bin_tree_t { struct bin_tree_t *parent; |