llvm.org GIT mirror llvm / 830a8c2
Merging r228507: ------------------------------------------------------------------------ r228507 | joerg | 2015-02-07 13:24:06 -0800 (Sat, 07 Feb 2015) | 4 lines Avoid integer overflows around realloc calls resulting in potential heap. Problem identified by Guido Vranken. Changes differ from original OpenBSD sources by not depending on non-portable reallocarray. ------------------------------------------------------------------------ git-svn-id: https://llvm.org/svn/llvm-project/llvm/branches/release_36@228511 91177308-0d34-0410-b5e6-96231b3b80d8 Hans Wennborg 4 years ago
1 changed file(s) with 21 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
4747
4848 #include "regcclass.h"
4949 #include "regcname.h"
50
51 #include "llvm/Config/config.h"
52 #if HAVE_STDINT_H
53 #include
54 #else
55 /* Pessimistically bound memory use */
56 #define SIZE_MAX UINT_MAX
57 #endif
5058
5159 /*
5260 * parse structure, passed up and down to avoid global variables and
10681076
10691077 p->ncsalloc += CHAR_BIT;
10701078 nc = p->ncsalloc;
1079 if (nc > SIZE_MAX / sizeof(cset))
1080 goto nomem;
10711081 assert(nc % CHAR_BIT == 0);
10721082 nbytes = nc / CHAR_BIT * css;
10731083
14111421 if (p->ssize >= size)
14121422 return;
14131423
1424 if ((unsigned long)size > SIZE_MAX / sizeof(sop)) {
1425 SETERROR(REG_ESPACE);
1426 return;
1427 }
1428
14141429 sp = (sop *)realloc(p->strip, size*sizeof(sop));
14151430 if (sp == NULL) {
14161431 SETERROR(REG_ESPACE);
14271442 stripsnug(struct parse *p, struct re_guts *g)
14281443 {
14291444 g->nstates = p->slen;
1445 if ((unsigned long)p->slen > SIZE_MAX / sizeof(sop)) {
1446 g->strip = p->strip;
1447 SETERROR(REG_ESPACE);
1448 return;
1449 }
1450
14301451 g->strip = (sop *)realloc((char *)p->strip, p->slen * sizeof(sop));
14311452 if (g->strip == NULL) {
14321453 SETERROR(REG_ESPACE);