]> granicus.if.org Git - musl/commit
fix missing integer overflow checks in regexec buffer size computations
authorRich Felker <dalias@aerifal.cx>
Thu, 6 Oct 2016 22:34:58 +0000 (18:34 -0400)
committerRich Felker <dalias@aerifal.cx>
Thu, 6 Oct 2016 22:47:53 +0000 (18:47 -0400)
commitc3edc06d1e1360f3570db9155d6b318ae0d0f0f7
treee1064c892c9e2d2cbbcbce7ea22bc0967701ae46
parent583ea83541dcc6481c7a1bd1a9b485526bad84a1
fix missing integer overflow checks in regexec buffer size computations

most of the possible overflows were already ruled out in practice by
regcomp having already succeeded performing larger allocations.
however at least the num_states*num_tags multiplication can clearly
overflow in practice. for safety, check them all, and use the proper
type, size_t, rather than int.

also improve comments, use calloc in place of malloc+memset, and
remove bogus casts.
src/regex/regexec.c