diff options
author | dgp <dgp@users.sourceforge.net> | 2013-04-08 19:45:55 (GMT) |
---|---|---|
committer | dgp <dgp@users.sourceforge.net> | 2013-04-08 19:45:55 (GMT) |
commit | e62eab9118e1460d3afe28e01dc2b83bbb63194c (patch) | |
tree | 88b8c204f46260baa9bc76dda0d1b56189e75472 | |
parent | 84d7d75f97cf88a8414d4b9832487567cfaf2bd4 (diff) | |
parent | f637643facaa33834a74333f56971933a2158176 (diff) | |
download | tcl-e62eab9118e1460d3afe28e01dc2b83bbb63194c.zip tcl-e62eab9118e1460d3afe28e01dc2b83bbb63194c.tar.gz tcl-e62eab9118e1460d3afe28e01dc2b83bbb63194c.tar.bz2 |
3610026 Stop crash when the number of "colors" in a regular expression
overflows a short int. Thanks to Heikki Linnakangas for the report and
the patch.
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | generic/regc_color.c | 21 | ||||
-rw-r--r-- | generic/regerrs.h | 1 | ||||
-rw-r--r-- | generic/regex.h | 1 | ||||
-rw-r--r-- | generic/regguts.h | 1 | ||||
-rw-r--r-- | tests/regexp.test | 11 |
6 files changed, 36 insertions, 7 deletions
@@ -1,3 +1,11 @@ +2013-04-08 Don Porter <dgp@users.sourceforge.net> + + * generic/regc_color.c: [Bug 3610026] Stop crash when the number of + * generic/regerrs.h: "colors" in a regular expression overflows + * generic/regex.h: a short int. Thanks to Heikki Linnakangas + * generic/regguts.h: for the report and the patch. + * tests/regexp.test: + 2013-03-19 Don Porter <dgp@users.sourceforge.net> * generic/tclFCmd.c: [Bug 3597000] Consistent [file copy] result. diff --git a/generic/regc_color.c b/generic/regc_color.c index f6716be..183ef27 100644 --- a/generic/regc_color.c +++ b/generic/regc_color.c @@ -223,7 +223,6 @@ newcolor(cm) struct colormap *cm; { struct colordesc *cd; - struct colordesc *new; size_t n; if (CISERR()) @@ -241,21 +240,29 @@ struct colormap *cm; cd = &cm->cd[cm->max]; } else { /* oops, must allocate more */ + struct colordesc *newCd; + + if (cm->max == MAX_COLOR) { + CERR(REG_ECOLORS); + return COLORLESS; /* too many colors */ + } n = cm->ncds * 2; + if (n < MAX_COLOR + 1) + n = MAX_COLOR + 1; if (cm->cd == cm->cdspace) { - new = (struct colordesc *)MALLOC(n * + newCd = (struct colordesc *)MALLOC(n * sizeof(struct colordesc)); - if (new != NULL) - memcpy(VS(new), VS(cm->cdspace), cm->ncds * + if (newCd != NULL) + memcpy(VS(newCd), VS(cm->cdspace), cm->ncds * sizeof(struct colordesc)); } else - new = (struct colordesc *)REALLOC(cm->cd, + newCd = (struct colordesc *)REALLOC(cm->cd, n * sizeof(struct colordesc)); - if (new == NULL) { + if (newCd == NULL) { CERR(REG_ESPACE); return COLORLESS; } - cm->cd = new; + cm->cd = newCd; cm->ncds = n; assert(cm->max < cm->ncds - 1); cm->max++; diff --git a/generic/regerrs.h b/generic/regerrs.h index 259c0cb..72548ff 100644 --- a/generic/regerrs.h +++ b/generic/regerrs.h @@ -17,3 +17,4 @@ { REG_MIXED, "REG_MIXED", "character widths of regex and string differ" }, { REG_BADOPT, "REG_BADOPT", "invalid embedded option" }, { REG_ETOOBIG, "REG_ETOOBIG", "nfa has too many states" }, +{ REG_ECOLORS, "REG_ECOLORS", "too many colors" }, diff --git a/generic/regex.h b/generic/regex.h index a35925a..1cd2ea8 100644 --- a/generic/regex.h +++ b/generic/regex.h @@ -293,6 +293,7 @@ typedef struct { #define REG_MIXED 17 /* character widths of regex and string differ */ #define REG_BADOPT 18 /* invalid embedded option */ #define REG_ETOOBIG 19 /* nfa has too many states */ +#define REG_ECOLORS 20 /* too many colors */ /* two specials for debugging and testing */ #define REG_ATOI 101 /* convert error-code name to number */ #define REG_ITOA 102 /* convert error-code number to name */ diff --git a/generic/regguts.h b/generic/regguts.h index c77a8fc..ee5c596 100644 --- a/generic/regguts.h +++ b/generic/regguts.h @@ -174,6 +174,7 @@ */ typedef short color; /* colors of characters */ typedef int pcolor; /* what color promotes to */ +#define MAX_COLOR SHRT_MAX /* max color value */ #define COLORLESS (-1) /* impossible color */ #define WHITE 0 /* default color, parent of all others */ diff --git a/tests/regexp.test b/tests/regexp.test index 9b4c525..5328c8e 100644 --- a/tests/regexp.test +++ b/tests/regexp.test @@ -679,6 +679,17 @@ test regexp-22.4 {Bug 3606139} -setup { } -cleanup { rename a {} } -returnCodes 1 -result {couldn't compile regular expression pattern: nfa has too many states} +test regexp-22.5 {Bug 3610026} -setup { + set e {} + set cp 99 + while {$cp < 32864} { + append e [format %c [incr cp]] + } +} -body { + regexp -about $e +} -cleanup { + unset -nocomplain e cp +} -returnCodes error -match glob -result {*too many colors*} # cleanup ::tcltest::cleanupTests |