fix integer overflow in S_study_chunk().

It was adding SSize_t_MAX to data->last_start_max when data->last_start_max was already SSize_t_MAX. This triggered it: /(x+y)+/. Found by -fsanitize=undefined.
author: David Mitchell <davem@iabyn.com> 2014-12-19 22:19:58 +0000
committer: David Mitchell <davem@iabyn.com> 2014-12-19 22:19:58 +0000
commit: 55b6a5f665b57d91246b00d58d8bf9ba32c7cdc3 (patch)
tree: 2ddeb9c8ac0380951818720d29611aeca74de8fa
parent: 646e87871404a31d5a6c6ac42ca921078d055354 (diff)
download: perl-55b6a5f665b57d91246b00d58d8bf9ba32c7cdc3.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/regcomp.c b/regcomp.c
index e1872b402a..2664be4644 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -4888,8 +4888,11 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
 			} else {
 			    /* start offset must point into the last copy */
 			    data->last_start_min += minnext * (mincount - 1);
-			    data->last_start_max += is_inf ? SSize_t_MAX
-				: (maxcount - 1) * (minnext + data->pos_delta);
+			    data->last_start_max =
+                              is_inf
+                               ? SSize_t_MAX
+			       : data->last_start_max +
+                                 (maxcount - 1) * (minnext + data->pos_delta);
 			}
 		    }
 		    /* It is counted once already... */
author	David Mitchell <davem@iabyn.com>	2014-12-19 22:19:58 +0000
committer	David Mitchell <davem@iabyn.com>	2014-12-19 22:19:58 +0000
commit	55b6a5f665b57d91246b00d58d8bf9ba32c7cdc3 (patch)
tree	2ddeb9c8ac0380951818720d29611aeca74de8fa
parent	646e87871404a31d5a6c6ac42ca921078d055354 (diff)
download	perl-55b6a5f665b57d91246b00d58d8bf9ba32c7cdc3.tar.gz