summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorShishir Jaiswal <shishir.j.jaiswal@oracle.com>2016-11-29 11:26:25 +0530
committerShishir Jaiswal <shishir.j.jaiswal@oracle.com>2016-11-29 11:26:25 +0530
commit52b0c8146b1ae84a6c3fa1a20aa41736df485a46 (patch)
tree9053fe1bb79a15183fd36ab57c726ce3d7481046
parent8f297058512e6744b8d9f0bafe35689c702fce67 (diff)
downloadmariadb-git-52b0c8146b1ae84a6c3fa1a20aa41736df485a46.tar.gz
Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT
DESCRIPTION =========== Performing a pattern match of a Regex resulting into a very large string, leads to crash due to integer wraparound. ANALYSIS ======== doinsert() - The length calculated here (to copy the number of bytes) comes out to be too large to be stored in the "int" variable 'length'. We need to ensure that the variable can accommodate large lengths. FIX === 'length' in doinsert() is now defined as of type "size_t" instead of "int"
-rw-r--r--regex/regcomp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/regex/regcomp.c b/regex/regcomp.c
index e7feb9301e6..7c450db07b7 100644
--- a/regex/regcomp.c
+++ b/regex/regcomp.c
@@ -1449,7 +1449,7 @@ sopno pos;
}
}
{
- int length=(HERE()-pos-1)*sizeof(sop);
+ size_t length=(HERE()-pos-1)*sizeof(sop);
bmove_upp((uchar *) &p->strip[pos+1]+length,
(uchar *) &p->strip[pos]+length,
length);