diff options
| author | dgp <dgp@users.sourceforge.net> | 2013-04-08 19:45:55 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2013-04-08 19:45:55 (GMT) |
| commit | e62eab9118e1460d3afe28e01dc2b83bbb63194c (patch) | |
| tree | 88b8c204f46260baa9bc76dda0d1b56189e75472 /generic | |
| parent | 84d7d75f97cf88a8414d4b9832487567cfaf2bd4 (diff) | |
| parent | f637643facaa33834a74333f56971933a2158176 (diff) | |
| download | tcl-e62eab9118e1460d3afe28e01dc2b83bbb63194c.zip tcl-e62eab9118e1460d3afe28e01dc2b83bbb63194c.tar.gz tcl-e62eab9118e1460d3afe28e01dc2b83bbb63194c.tar.bz2 | |
3610026 Stop crash when the number of "colors" in a regular expression
overflows a short int. Thanks to Heikki Linnakangas for the report and
the patch.
Diffstat (limited to 'generic')
| -rw-r--r-- | generic/regc_color.c | 21 | ||||
| -rw-r--r-- | generic/regerrs.h | 1 | ||||
| -rw-r--r-- | generic/regex.h | 1 | ||||
| -rw-r--r-- | generic/regguts.h | 1 |
4 files changed, 17 insertions, 7 deletions
diff --git a/generic/regc_color.c b/generic/regc_color.c index f6716be..183ef27 100644 --- a/generic/regc_color.c +++ b/generic/regc_color.c @@ -223,7 +223,6 @@ newcolor(cm) struct colormap *cm; { struct colordesc *cd; - struct colordesc *new; size_t n; if (CISERR()) @@ -241,21 +240,29 @@ struct colormap *cm; cd = &cm->cd[cm->max]; } else { /* oops, must allocate more */ + struct colordesc *newCd; + + if (cm->max == MAX_COLOR) { + CERR(REG_ECOLORS); + return COLORLESS; /* too many colors */ + } n = cm->ncds * 2; + if (n < MAX_COLOR + 1) + n = MAX_COLOR + 1; if (cm->cd == cm->cdspace) { - new = (struct colordesc *)MALLOC(n * + newCd = (struct colordesc *)MALLOC(n * sizeof(struct colordesc)); - if (new != NULL) - memcpy(VS(new), VS(cm->cdspace), cm->ncds * + if (newCd != NULL) + memcpy(VS(newCd), VS(cm->cdspace), cm->ncds * sizeof(struct colordesc)); } else - new = (struct colordesc *)REALLOC(cm->cd, + newCd = (struct colordesc *)REALLOC(cm->cd, n * sizeof(struct colordesc)); - if (new == NULL) { + if (newCd == NULL) { CERR(REG_ESPACE); return COLORLESS; } - cm->cd = new; + cm->cd = newCd; cm->ncds = n; assert(cm->max < cm->ncds - 1); cm->max++; diff --git a/generic/regerrs.h b/generic/regerrs.h index 259c0cb..72548ff 100644 --- a/generic/regerrs.h +++ b/generic/regerrs.h @@ -17,3 +17,4 @@ { REG_MIXED, "REG_MIXED", "character widths of regex and string differ" }, { REG_BADOPT, "REG_BADOPT", "invalid embedded option" }, { REG_ETOOBIG, "REG_ETOOBIG", "nfa has too many states" }, +{ REG_ECOLORS, "REG_ECOLORS", "too many colors" }, diff --git a/generic/regex.h b/generic/regex.h index a35925a..1cd2ea8 100644 --- a/generic/regex.h +++ b/generic/regex.h @@ -293,6 +293,7 @@ typedef struct { #define REG_MIXED 17 /* character widths of regex and string differ */ #define REG_BADOPT 18 /* invalid embedded option */ #define REG_ETOOBIG 19 /* nfa has too many states */ +#define REG_ECOLORS 20 /* too many colors */ /* two specials for debugging and testing */ #define REG_ATOI 101 /* convert error-code name to number */ #define REG_ITOA 102 /* convert error-code number to name */ diff --git a/generic/regguts.h b/generic/regguts.h index c77a8fc..ee5c596 100644 --- a/generic/regguts.h +++ b/generic/regguts.h @@ -174,6 +174,7 @@ */ typedef short color; /* colors of characters */ typedef int pcolor; /* what color promotes to */ +#define MAX_COLOR SHRT_MAX /* max color value */ #define COLORLESS (-1) /* impossible color */ #define WHITE 0 /* default color, parent of all others */ |