From 382a7a77501a1e25895d78eca9cb6838c6d7e6a3 Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Sat, 20 Dec 2014 15:30:01 +0000
Subject: fix integer overflow in S_study_chunk().

It was calculating final_minlen + delta even when delta was already
SSize_t_MAX and final_minlen > 0.

This triggered it: /a(??{}){2}/.

Found by -fsanitize=undefined:

regcomp.c:5623:89: runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long'
---
 regcomp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'regcomp.c')

diff --git a/regcomp.c b/regcomp.c
index c2521a97cc..4f5753a27b 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -5647,8 +5647,11 @@ PerlIO_printf(Perl_debug_log, "LHS=%"UVuf" RHS=%"UVuf"\n",
     {
         SSize_t final_minlen= min < stopmin ? min : stopmin;
 
-        if (!(RExC_seen & REG_UNBOUNDED_QUANTIFIER_SEEN) && (RExC_maxlen < final_minlen + delta)) {
-            RExC_maxlen = final_minlen + delta;
+        if (!(RExC_seen & REG_UNBOUNDED_QUANTIFIER_SEEN)) {
+            if (final_minlen > SSize_t_MAX - delta)
+                RExC_maxlen = SSize_t_MAX;
+            else if (RExC_maxlen < final_minlen + delta)
+                RExC_maxlen = final_minlen + delta;
         }
         return final_minlen;
     }
-- 
cgit v1.2.1