[llvm-branch-commits] [llvm-branch] r228511 - Merging r228507:

Hans Wennborg hans at hanshq.net
Sat Feb 7 15:09:08 PST 2015 

Author: hans
Date: Sat Feb  7 17:09:08 2015
New Revision: 228511

URL: http://llvm.org/viewvc/llvm-project?rev=228511&view=rev
Log:
Merging r228507:
------------------------------------------------------------------------
r228507 | joerg | 2015-02-07 13:24:06 -0800 (Sat, 07 Feb 2015) | 4 lines

Avoid integer overflows around realloc calls resulting in potential
heap. Problem identified by Guido Vranken. Changes differ from original
OpenBSD sources by not depending on non-portable reallocarray.

------------------------------------------------------------------------

Modified:
    llvm/branches/release_36/   (props changed)
    llvm/branches/release_36/lib/Support/regcomp.c

Propchange: llvm/branches/release_36/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Feb  7 17:09:08 2015
@@ -1,3 +1,3 @@
 /llvm/branches/Apple/Pertwee:110850,110961
 /llvm/branches/type-system-rewrite:133420-134817
-/llvm/trunk:155241,226023,226029,226044,226046,226048,226058,226075,226170-226171,226182,226473,226664,226708,226711,226755,226809,227005,227085,227250,227260-227261,227290,227294,227299,227319,227339,227491,227584,227603,227628,227670,227809,227815,227903,227934,227972,227983,228049,228129,228168,228331,228411,228444,228490,228500
+/llvm/trunk:155241,226023,226029,226044,226046,226048,226058,226075,226170-226171,226182,226473,226664,226708,226711,226755,226809,227005,227085,227250,227260-227261,227290,227294,227299,227319,227339,227491,227584,227603,227628,227670,227809,227815,227903,227934,227972,227983,228049,228129,228168,228331,228411,228444,228490,228500,228507

Modified: llvm/branches/release_36/lib/Support/regcomp.c
URL: http://llvm.org/viewvc/llvm-project/llvm/branches/release_36/lib/Support/regcomp.c?rev=228511&r1=228510&r2=228511&view=diff
==============================================================================
--- llvm/branches/release_36/lib/Support/regcomp.c (original)
+++ llvm/branches/release_36/lib/Support/regcomp.c Sat Feb  7 17:09:08 2015
@@ -49,6 +49,14 @@
 #include "regcclass.h"
 #include "regcname.h"
 
+#include "llvm/Config/config.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#else
+/* Pessimistically bound memory use */
+#define SIZE_MAX UINT_MAX
+#endif
+
 /*
  * parse structure, passed up and down to avoid global variables and
  * other clumsinesses
@@ -1069,6 +1077,8 @@ allocset(struct parse *p)
 
 		p->ncsalloc += CHAR_BIT;
 		nc = p->ncsalloc;
+		if (nc > SIZE_MAX / sizeof(cset))
+			goto nomem;
 		assert(nc % CHAR_BIT == 0);
 		nbytes = nc / CHAR_BIT * css;
 
@@ -1412,6 +1422,11 @@ enlarge(struct parse *p, sopno size)
 	if (p->ssize >= size)
 		return;
 
+	if ((unsigned long)size > SIZE_MAX / sizeof(sop)) {
+		SETERROR(REG_ESPACE);
+		return;
+	}
+
 	sp = (sop *)realloc(p->strip, size*sizeof(sop));
 	if (sp == NULL) {
 		SETERROR(REG_ESPACE);
@@ -1428,6 +1443,12 @@ static void
 stripsnug(struct parse *p, struct re_guts *g)
 {
 	g->nstates = p->slen;
+	if ((unsigned long)p->slen > SIZE_MAX / sizeof(sop)) {
+		g->strip = p->strip;
+		SETERROR(REG_ESPACE);
+		return;
+	}
+
 	g->strip = (sop *)realloc((char *)p->strip, p->slen * sizeof(sop));
 	if (g->strip == NULL) {
 		SETERROR(REG_ESPACE);

More information about the llvm-branch-commits mailing list