sed: improve integer overflow checking

Fix some some longstanding but unlikely integer overflows.
Internally, 'sed' now more often prefers signed integer arithmetic,
which can be checked automatically via 'gcc -fsanitize=undefined'.
* basicdefs.h (countT): Remove.  All uses replaced
with a more-specific signed type, e.g., idx_t.
Similarly, change uses of types like size_t to
signed types like idx_t when appropriate.
(REALLOC): Remove; no longer used.  We now use xpalloc
because that detects integer overflow in size calculations.
Also, we no longer use XCALLOC since the code never relies
on the storage being zero, and leaving it uninitialized is
more likely to catch errors when debugging implementations
are used.  We use XNMALLOC instead, or xpalloc.
* bootstrap.conf (gnulib_modules): Add stdckdint, strtoimax.
* lib/.gitignore, m4/.gitignore: Update for new Gnulib modules.
* sed/compile.c: Include stdckdint.h.
(VECTOR_ALLOC_INCREMENT): Remove; no longer used.
(in_integer): Return maximal value if integer overflow.
All callers changed to expect this.
(next_cmd_entry): Use xpalloc instead of reallocating by hand,
which might suffer integer overflow.
(normalize_text): Don’t rely on system-defined conversion
of out-of-range size_t to int.
(next_cmd_entry): Arg is now pointer, not pointer-to-pointer.
All uses changed.
* sed/debug.c (debug_print_function): Don’t attempt to
fwrite a null pointer with a zero size.
* sed/execute.c: Include <stdckdint.h>, "minmax.h".
(resize_line): LEN arg is now increment, not total length,
to avoid overflow when calculating total length.
All uses changed.  Do not assume lb->alloc * 2 cannot overflow.
(resize_line, line_copy): Use xpalloc instead of doing realloc by
hand, which might suffer integer overflow.
(str_append_modified): Do not add n to to->length until
after it's known this cannot overflow.
(read_file_line): Don’t assume ssize_t fits in long.
(get_backup_file_name): Don’t assume string length fits in int.
Do not assume PTR-1+1 works; behavior is undefined if PTR
is at buffer start.  Check for integer overflow in buffer
size calculation.
(read_pattern_space): Check for line number overflow.
(match_address_p): Check for address overflow.
(debug_print_line): Omit unnecessary test for in->active being null.
(execute_program): Check for Q overflow.
* sed/regexp.c: Include <stdckdint.h>.
(match_regex): Don’t assume TYPE_MAXIMUM (regoff_t) == INT_MAX.
* sed/sed.c: Include inttypes.h, for strtoimax.
(main): Use strtoimax, not atoi.
* sed/utils.c (init_buffer): Use xmalloc and xpalloc
instead of guessing sizes ourselves, and unnecessarily
initializing.
(resize_buffer): Remove; all callers changed to use xpalloc.
(free_buffer): Don’t call free (NULL), since we already
test whether the pointer is null.

1 files changed, 14 insertions, 14 deletions

diff --git a/sed/sed.h b/sed/sed.h
index 8be9955..64ef7ed 100644
--- a/sed/sed.h
+++ b/sed/sed.h
@@ -27,8 +27,8 @@
 /* Struct vector is used to describe a compiled sed program. */
 struct vector {
   struct sed_cmd *v;	/* a dynamically allocated array */
-  size_t v_allocated;	/* ... number of slots allocated */
-  size_t v_length;	/* ... number of slots in use */
+  idx_t v_allocated;	/* ... number of slots allocated */
+  idx_t v_length;	/* ... number of slots in use */
 };
 
 /* This structure tracks files used by sed so that they may all be
@@ -44,13 +44,13 @@ struct output {
 
 struct text_buf {
   char *text;
-  size_t text_length;
+  idx_t text_length;
 };
 
 struct regex {
   regex_t pattern;
   int flags;
-  size_t sz;
+  idx_t sz;
   struct dfa *dfa;
   bool begline;
   bool endline;
@@ -107,15 +107,15 @@ enum addr_types {
 
 struct addr {
   enum addr_types addr_type;
-  countT addr_number;
-  countT addr_step;
+  intmax_t addr_number;
+  intmax_t addr_step;
   struct regex *addr_regex;
 };
 
 
 struct replacement {
   char *prefix;
-  size_t prefix_length;
+  idx_t prefix_length;
   int subst_id;
   enum replacement_types repl_type;
   struct replacement *next;
@@ -124,7 +124,7 @@ struct replacement {
 struct subst {
   struct regex *regx;
   struct replacement *replacement;
-  countT numb;		/* if >0, only substitute for match number "numb" */
+  intmax_t numb;	/* if >0, only substitute for match number "numb" */
   struct output *outf;	/* 'w' option given */
   unsigned global : 1;	/* 'g' option given */
   unsigned print : 2;	/* 'p' option given (before/after eval) */
@@ -157,10 +157,10 @@ struct sed_cmd {
     struct text_buf cmd_txt;
 
     /* This is used for the l, q and Q commands. */
-    int int_arg;
+    intmax_t int_arg;
 
     /* This is used for the {}, b, and t commands. */
-    countT jump_index;
+    idx_t jump_index;
 
     /* This is used for the r command. */
     struct readcmd readcmd;
@@ -189,8 +189,8 @@ _Noreturn void bad_prog (char const *why, ...)
   _GL_ATTRIBUTE_FORMAT_PRINTF_STANDARD (1, 2);
 _Noreturn void bad_prog_notranslate (char const *why, ...)
   _GL_ATTRIBUTE_FORMAT_PRINTF_STANDARD (1, 2);
-size_t normalize_text (char *text, size_t len, enum text_types buftype);
-struct vector *compile_string (struct vector *, char *str, size_t len);
+idx_t normalize_text (char *text, idx_t len, enum text_types buftype);
+struct vector *compile_string (struct vector *, char *str, idx_t len);
 struct vector *compile_file (struct vector *, const char *cmdfile);
 void check_final_program (struct vector *);
 void rewind_read_files (void);
@@ -198,7 +198,7 @@ void finish_program (struct vector *);
 
 struct regex *compile_regex (struct buffer *b, int flags, int needed_sub);
 int match_regex (struct regex *regex,
-                 char *buf, size_t buflen, size_t buf_start_offset,
+                 char *buf, idx_t buflen, idx_t buf_start_offset,
                  struct re_registers *regarray, int regsize);
 #ifdef lint
 void release_regex (struct regex *);
@@ -239,7 +239,7 @@ extern bool follow_symlinks;
 extern enum posixicity_types posixicity;
 
 /* How long should the `l' command's output line be? */
-extern countT lcmd_out_line_len;
+extern idx_t lcmd_out_line_len;
 
 /* How do we edit files in-place? (we don't if NULL) */
 extern char *in_place_extension;