[llvm] r228507 - Avoid integer overflows around realloc calls resulting in potential

Tom Stellard tom at stellard.net
Mon Feb 9 06:34:21 PST 2015 

On Sat, Feb 07, 2015 at 11:18:37PM +0100, Joerg Sonnenberger wrote:
> This should be merged to the release branches.
> 

Should this go into the 3.5 branch too?

-Tom

> Joerg
> 
> On Sat, Feb 07, 2015 at 09:24:06PM -0000, Joerg Sonnenberger wrote:
> > Author: joerg
> > Date: Sat Feb  7 15:24:06 2015
> > New Revision: 228507
> > 
> > URL: http://llvm.org/viewvc/llvm-project?rev=228507&view=rev
> > Log:
> > Avoid integer overflows around realloc calls resulting in potential
> > heap. Problem identified by Guido Vranken. Changes differ from original
> > OpenBSD sources by not depending on non-portable reallocarray.
> > 
> > Modified:
> >     llvm/trunk/lib/Support/regcomp.c
> > 
> > Modified: llvm/trunk/lib/Support/regcomp.c
> > URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Support/regcomp.c?rev=228507&r1=228506&r2=228507&view=diff
> > ==============================================================================
> > --- llvm/trunk/lib/Support/regcomp.c (original)
> > +++ llvm/trunk/lib/Support/regcomp.c Sat Feb  7 15:24:06 2015
> > @@ -49,6 +49,14 @@
> >  #include "regcclass.h"
> >  #include "regcname.h"
> >  
> > +#include "llvm/Config/config.h"
> > +#if HAVE_STDINT_H
> > +#include <stdint.h>
> > +#else
> > +/* Pessimistically bound memory use */
> > +#define SIZE_MAX UINT_MAX
> > +#endif
> > +
> >  /*
> >   * parse structure, passed up and down to avoid global variables and
> >   * other clumsinesses
> > @@ -1069,6 +1077,8 @@ allocset(struct parse *p)
> >  
> >  		p->ncsalloc += CHAR_BIT;
> >  		nc = p->ncsalloc;
> > +		if (nc > SIZE_MAX / sizeof(cset))
> > +			goto nomem;
> >  		assert(nc % CHAR_BIT == 0);
> >  		nbytes = nc / CHAR_BIT * css;
> >  
> > @@ -1412,6 +1422,11 @@ enlarge(struct parse *p, sopno size)
> >  	if (p->ssize >= size)
> >  		return;
> >  
> > +	if ((unsigned long)size > SIZE_MAX / sizeof(sop)) {
> > +		SETERROR(REG_ESPACE);
> > +		return;
> > +	}
> > +
> >  	sp = (sop *)realloc(p->strip, size*sizeof(sop));
> >  	if (sp == NULL) {
> >  		SETERROR(REG_ESPACE);
> > @@ -1428,6 +1443,12 @@ static void
> >  stripsnug(struct parse *p, struct re_guts *g)
> >  {
> >  	g->nstates = p->slen;
> > +	if ((unsigned long)p->slen > SIZE_MAX / sizeof(sop)) {
> > +		g->strip = p->strip;
> > +		SETERROR(REG_ESPACE);
> > +		return;
> > +	}
> > +
> >  	g->strip = (sop *)realloc((char *)p->strip, p->slen * sizeof(sop));
> >  	if (g->strip == NULL) {
> >  		SETERROR(REG_ESPACE);
> > 
> > 
> > _______________________________________________
> > llvm-commits mailing list
> > llvm-commits at cs.uiuc.edu
> > http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits

More information about the llvm-commits mailing list