Hi, * Vincent Lefevre [06-11-14 17:22:02 +0100] wrote:
On 2006-11-14 16:20:24 +0100, Adam Wysocki wrote:--- regex.c~ 2006-11-14 16:11:59.000000000 +0100 +++ regex.c 2006-11-14 16:13:01.000000000 +0100 @@ -2196,8 +2196,7 @@ for (;;) { PATFETCH (c); - if (c == ':' || c == ']' || p == pend - || c1 == CHAR_CLASS_MAX_LENGTH) + if (c == ':' || c == ']' || p == pend) break; str[c1++] = c; }
AFAIK, this change may lead to a buffer overflow or infinite loop.
Yes, it will. My suggested fix is to define CHAR_CLASS_MAX_LENGTH just to 255 (0xff) instead of 256 (0x100) since likely sizeof(unsigned char) is 1.
Adam, does that work?
BTW, I don't think that using c1 (an unsigned char) as an index is a good idea.
Yes. Maybe it's some legacy code or something where somebody used 'unsigned char' instead of uint8_t.
bye, Rocco -- :wq!