diff options
author | David Mitchell <davem@iabyn.com> | 2014-12-19 22:19:58 +0000 |
---|---|---|
committer | David Mitchell <davem@iabyn.com> | 2014-12-19 22:19:58 +0000 |
commit | 55b6a5f665b57d91246b00d58d8bf9ba32c7cdc3 (patch) | |
tree | 2ddeb9c8ac0380951818720d29611aeca74de8fa | |
parent | 646e87871404a31d5a6c6ac42ca921078d055354 (diff) | |
download | perl-55b6a5f665b57d91246b00d58d8bf9ba32c7cdc3.tar.gz |
fix integer overflow in S_study_chunk().
It was adding SSize_t_MAX to data->last_start_max when
data->last_start_max was already SSize_t_MAX.
This triggered it: /(x+y)+/.
Found by -fsanitize=undefined.
-rw-r--r-- | regcomp.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -4888,8 +4888,11 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, } else { /* start offset must point into the last copy */ data->last_start_min += minnext * (mincount - 1); - data->last_start_max += is_inf ? SSize_t_MAX - : (maxcount - 1) * (minnext + data->pos_delta); + data->last_start_max = + is_inf + ? SSize_t_MAX + : data->last_start_max + + (maxcount - 1) * (minnext + data->pos_delta); } } /* It is counted once already... */ |