Opened 5 years ago

Closed 5 years ago

#13036 closed Bugs (fixed)

Boost.Regex: Integer overflow during calculation of max_state_count

Reported by: anonymous Owned by: John Maddock
Milestone: To Be Determined Component: regex
Version: Boost Development Trunk Severity: Problem
Keywords: regex max_state_count Cc:

Description 

template <class BidiIterator, class Allocator, class traits>
void perl_matcher<BidiIterator, Allocator, traits>::estimate_max_state_count(std::random_access_iterator_tag*)
{
   ...
   std::ptrdiff_t states = re.size();
   if(states == 0)
      states = 1;
   states *= states; // overflows here on 32bit platforms 
                     // if regex string length greater than 2**16

Attachments (1)

bug_13036.cc (858 bytes ) - added by Brian Minard <bminard@…> 5 years ago.
reproducer

Download all attachments as: .zip

Change History (4)

by Brian Minard <bminard@…>, 5 years ago

Attachment: bug_13036.cc added

reproducer

comment:1 by Brian Minard <bminard@…>, 5 years ago

I did not report this issue, but have attached a reproducer. A patch: https://github.com/boostorg/regex/pull/32.

FWIW, overflow occurs when the states variable is greater than sqrt(231) (on a 32-bit platform).

The value of the states variable is implementation dependent whenever re.size() returns a value greater than std::numeric_limits<std::ptrdiff_t>::max() (size() method returns a value of type std::size_t.)

comment:2 by John Maddock, 5 years ago

Component: Noneregex
Owner: set to John Maddock

Will investigate.

comment:3 by John Maddock, 5 years ago

Resolution: fixed
Status: newclosed

Fixed in https://github.com/boostorg/regex/commit/bc9b25b5d3c3784543158510c6087d41739ab64a.

I didn't use your PR because the change from signed to unsigned integer introduces other pitfalls (signed/unsigned comparisons).

Note: See TracTickets for help on using tickets.