[llvm] r228507 - Avoid integer overflows around realloc calls resulting in potential

Joerg Sonnenberger joerg at britannica.bec.de
Sat Feb 7 14:18:37 PST 2015 

This should be merged to the release branches.

Joerg

On Sat, Feb 07, 2015 at 09:24:06PM -0000, Joerg Sonnenberger wrote:
> Author: joerg
> Date: Sat Feb  7 15:24:06 2015
> New Revision: 228507
> 
> URL: http://llvm.org/viewvc/llvm-project?rev=228507&view=rev
> Log:
> Avoid integer overflows around realloc calls resulting in potential
> heap. Problem identified by Guido Vranken. Changes differ from original
> OpenBSD sources by not depending on non-portable reallocarray.
> 
> Modified:
>     llvm/trunk/lib/Support/regcomp.c
> 
> Modified: llvm/trunk/lib/Support/regcomp.c
> URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Support/regcomp.c?rev=228507&r1=228506&r2=228507&view=diff
> ==============================================================================
> --- llvm/trunk/lib/Support/regcomp.c (original)
> +++ llvm/trunk/lib/Support/regcomp.c Sat Feb  7 15:24:06 2015
> @@ -49,6 +49,14 @@
>  #include "regcclass.h"
>  #include "regcname.h"
>  
> +#include "llvm/Config/config.h"
> +#if HAVE_STDINT_H
> +#include <stdint.h>
> +#else
> +/* Pessimistically bound memory use */
> +#define SIZE_MAX UINT_MAX
> +#endif
> +
>  /*
>   * parse structure, passed up and down to avoid global variables and
>   * other clumsinesses
> @@ -1069,6 +1077,8 @@ allocset(struct parse *p)
>  
>  		p->ncsalloc += CHAR_BIT;
>  		nc = p->ncsalloc;
> +		if (nc > SIZE_MAX / sizeof(cset))
> +			goto nomem;
>  		assert(nc % CHAR_BIT == 0);
>  		nbytes = nc / CHAR_BIT * css;
>  
> @@ -1412,6 +1422,11 @@ enlarge(struct parse *p, sopno size)
>  	if (p->ssize >= size)
>  		return;
>  
> +	if ((unsigned long)size > SIZE_MAX / sizeof(sop)) {
> +		SETERROR(REG_ESPACE);
> +		return;
> +	}
> +
>  	sp = (sop *)realloc(p->strip, size*sizeof(sop));
>  	if (sp == NULL) {
>  		SETERROR(REG_ESPACE);
> @@ -1428,6 +1443,12 @@ static void
>  stripsnug(struct parse *p, struct re_guts *g)
>  {
>  	g->nstates = p->slen;
> +	if ((unsigned long)p->slen > SIZE_MAX / sizeof(sop)) {
> +		g->strip = p->strip;
> +		SETERROR(REG_ESPACE);
> +		return;
> +	}
> +
>  	g->strip = (sop *)realloc((char *)p->strip, p->slen * sizeof(sop));
>  	if (g->strip == NULL) {
>  		SETERROR(REG_ESPACE);
> 
> 
> _______________________________________________
> llvm-commits mailing list
> llvm-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits

More information about the llvm-commits mailing list