Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps

bug-grep

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps

From:	Paul Eggert
Subject:	Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps
Date:	Fri, 17 Jun 2011 14:34:14 -0700
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Thunderbird/3.1.10

On 06/17/11 01:46, Jim Meyering wrote:
> +  MALLOC(merged.elems, position, 2 * d->nleaves);

Hmm, aren't other buffer overruns possible in that
area, via integer overflows?

How about the additional patch given at the end of this
message?  I haven't tested it because savannah grep doesn't
build out of the box for me: ./bootstrap ends with 

./bootstrap: aclocal --force -I m4  ...
configure.ac:88: warning: gt_LC_MESSAGES is m4_require'd but not m4_defun'd
m4/localename.m4:7: gl_LOCALENAME is expanded from...
m4/gnulib-comp.m4:278: gl_INIT is expanded from...

and a few more lines like that (I suppose I should file
another bug report, but I'm supposed to be finishing my
grading now....).  Anyway, here's the untested patch:

diff --git a/src/dfa.c b/src/dfa.c
index c32d679..38f0566 100644
--- a/src/dfa.c
+++ b/src/dfa.c
@@ -396,19 +396,20 @@ struct dfa
 static void dfamust (struct dfa *dfa);
 static void regexp (void);
 
-#define CALLOC(p, t, n) ((p) = xcalloc((size_t)(n), sizeof (t)))
-#define MALLOC(p, t, n) ((p) = xmalloc((n) * sizeof (t)))
-#define REALLOC(p, t, n) ((p) = xrealloc((p), (n) * sizeof (t)))
+#define CALLOC(p, t, n) ((p) = XCALLOC (n, t))
+#define MALLOC(p, t, n) ((p) = XNMALLOC (n, t))
+#define REALLOC(p, t, n) ((p) = xnrealloc (p, n, sizeof (t)))
 
 /* Reallocate an array of type t if nalloc is too small for index. */
-#define REALLOC_IF_NECESSARY(p, t, nalloc, index) \
-  if ((index) >= (nalloc))                       \
-    {                                            \
-      do                                         \
-        (nalloc) *= 2;                           \
-      while ((index) >= (nalloc));               \
-      REALLOC(p, t, nalloc);                     \
-    }
+#define REALLOC_IF_NECESSARY(p, t, nalloc, index)       \
+  do                                                    \
+    if ((nalloc) <= (index))                            \
+      {                                                 \
+        size_t new_nalloc = (index) + ! (p);            \
+        (p) = x2nrealloc (p, &new_nalloc, sizeof (t));  \
+        (nalloc) = new_nalloc;                          \
+      }                                                 \
+  while (false)
 
 
 #ifdef DEBUG

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] dfa: don't overrun a malloc'd buffer for certain regexps, Jim Meyering, 2011/06/17
- Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps, Stefano Lattarini, 2011/06/17
  - Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps, Jim Meyering, 2011/06/17
- Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps, Paul Eggert <=
  - Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps, Jim Meyering, 2011/06/20
    - Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps, Jim Meyering, 2011/06/21

Prev by Date: Re: Dealing with character ranges in grep
Next by Date: Re: Dealing with character ranges in grep
Previous by thread: Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps
Next by thread: Re: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps
Index(es):
- Date
- Thread