diff options
| author | Shishir Jaiswal <shishir.j.jaiswal@oracle.com> | 2016-11-29 11:26:25 +0530 |
|---|---|---|
| committer | Shishir Jaiswal <shishir.j.jaiswal@oracle.com> | 2016-11-29 11:26:25 +0530 |
| commit | 52b0c8146b1ae84a6c3fa1a20aa41736df485a46 (patch) | |
| tree | 9053fe1bb79a15183fd36ab57c726ce3d7481046 /regex | |
| parent | 8f297058512e6744b8d9f0bafe35689c702fce67 (diff) | |
| download | mariadb-git-52b0c8146b1ae84a6c3fa1a20aa41736df485a46.tar.gz | |
Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT
DESCRIPTION
===========
Performing a pattern match of a Regex resulting into a very
large string, leads to crash due to integer wraparound.
ANALYSIS
========
doinsert() - The length calculated here (to copy the
number of bytes) comes out to be too large to be stored in
the "int" variable 'length'. We need to ensure that the
variable can accommodate large lengths.
FIX
===
'length' in doinsert() is now defined as of type "size_t"
instead of "int"
Diffstat (limited to 'regex')
| -rw-r--r-- | regex/regcomp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/regex/regcomp.c b/regex/regcomp.c index e7feb9301e6..7c450db07b7 100644 --- a/regex/regcomp.c +++ b/regex/regcomp.c @@ -1449,7 +1449,7 @@ sopno pos; } } { - int length=(HERE()-pos-1)*sizeof(sop); + size_t length=(HERE()-pos-1)*sizeof(sop); bmove_upp((uchar *) &p->strip[pos+1]+length, (uchar *) &p->strip[pos]+length, length); |