Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT

DESCRIPTION =========== Performing a pattern match of a Regex resulting into a very large string, leads to crash due to integer wraparound. ANALYSIS ======== doinsert() - The length calculated here (to copy the number of bytes) comes out to be too large to be stored in the "int" variable 'length'. We need to ensure that the variable can accommodate large lengths. FIX === 'length' in doinsert() is now defined as of type "size_t" instead of "int"
2016-11-29 11:26:25 +05:30 · 2016-11-29 11:26:25 +05:30 · 52b0c8146b
commit 52b0c8146b
parent 8f29705851
1 changed files with 1 additions and 1 deletions
--- a/regex/regcomp.c
+++ b/regex/regcomp.c
@ -1449,7 +1449,7 @@ sopno pos;
 		}
 	}
 	{
-          int length=(HERE()-pos-1)*sizeof(sop);
+          size_t length=(HERE()-pos-1)*sizeof(sop);
          bmove_upp((uchar *) &p->strip[pos+1]+length,
                    (uchar *) &p->strip[pos]+length,
                    length);