Boost C++ Libraries: Ticket #13036: Boost.Regex: Integer overflow during calculation of max_state_count https://svn.boost.org/trac10/ticket/13036 <pre class="wiki">template &lt;class BidiIterator, class Allocator, class traits&gt; void perl_matcher&lt;BidiIterator, Allocator, traits&gt;::estimate_max_state_count(std::random_access_iterator_tag*) { ... std::ptrdiff_t states = re.size(); if(states == 0) states = 1; states *= states; // overflows here on 32bit platforms // if regex string length greater than 2**16 </pre> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/13036 Trac 1.4.3 Brian Minard <bminard@…> Mon, 03 Jul 2017 21:50:13 GMT attachment set https://svn.boost.org/trac10/ticket/13036 https://svn.boost.org/trac10/ticket/13036 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">bug_13036.cc</span> </li> </ul> <p> reproducer </p> Ticket Brian Minard <bminard@…> Mon, 03 Jul 2017 21:51:54 GMT <link>https://svn.boost.org/trac10/ticket/13036#comment:1 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/13036#comment:1</guid> <description> <p> I did not report this issue, but have attached a reproducer. A patch: <a class="ext-link" href="https://github.com/boostorg/regex/pull/32"><span class="icon">​</span>https://github.com/boostorg/regex/pull/32</a>. </p> <p> FWIW, overflow occurs when the states variable is greater than sqrt(2<sup>31) (on a 32-bit platform). </sup></p> <p> The value of the states variable is implementation dependent whenever re.size() returns a value greater than std::numeric_limits&lt;std::ptrdiff_t&gt;::max() (size() method returns a value of type std::size_t.) </p> </description> <category>Ticket</category> </item> <item> <dc:creator>John Maddock</dc:creator> <pubDate>Sun, 30 Jul 2017 18:19:54 GMT</pubDate> <title>component changed; owner set https://svn.boost.org/trac10/ticket/13036#comment:2 https://svn.boost.org/trac10/ticket/13036#comment:2 <ul> <li><strong>owner</strong> set to <span class="trac-author">John Maddock</span> </li> <li><strong>component</strong> <span class="trac-field-old">None</span> → <span class="trac-field-new">regex</span> </li> </ul> <p> Will investigate. </p> Ticket John Maddock Mon, 31 Jul 2017 18:20:02 GMT status changed; resolution set https://svn.boost.org/trac10/ticket/13036#comment:3 https://svn.boost.org/trac10/ticket/13036#comment:3 <ul> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">fixed</span> </li> </ul> <p> Fixed in <a class="ext-link" href="https://github.com/boostorg/regex/commit/bc9b25b5d3c3784543158510c6087d41739ab64a"><span class="icon">​</span>https://github.com/boostorg/regex/commit/bc9b25b5d3c3784543158510c6087d41739ab64a</a>. </p> <p> I didn't use your PR because the change from signed to unsigned integer introduces other pitfalls (signed/unsigned comparisons). </p> Ticket