From 52b0c8146b1ae84a6c3fa1a20aa41736df485a46 Mon Sep 17 00:00:00 2001 From: Shishir Jaiswal Date: Tue, 29 Nov 2016 11:26:25 +0530 Subject: [PATCH] Bug#24449076 - INTEGER OVERFLOW IN FUNCTION DOINSERT DESCRIPTION =========== Performing a pattern match of a Regex resulting into a very large string, leads to crash due to integer wraparound. ANALYSIS ======== doinsert() - The length calculated here (to copy the number of bytes) comes out to be too large to be stored in the "int" variable 'length'. We need to ensure that the variable can accommodate large lengths. FIX === 'length' in doinsert() is now defined as of type "size_t" instead of "int" --- regex/regcomp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regex/regcomp.c b/regex/regcomp.c index e7feb9301e6..7c450db07b7 100644 --- a/regex/regcomp.c +++ b/regex/regcomp.c @@ -1449,7 +1449,7 @@ sopno pos; } } { - int length=(HERE()-pos-1)*sizeof(sop); + size_t length=(HERE()-pos-1)*sizeof(sop); bmove_upp((uchar *) &p->strip[pos+1]+length, (uchar *) &p->strip[pos]+length, length);