teco_memory_check() now checks for addition overflows and negative searches (<S>) for multiplication overflows

* Since the numbers come from "outside" (SciTECO scripts) this is easily possible, resulting either in missed checks or even memory corruption. * In particular, this fixes the "Searching with large counts" test case on 32-bit builds. Perhaps at least one CI build should be 32-bit?
author: Robin Haberkorn <robin.haberkorn@googlemail.com> 2021-06-05 17:43:58 +0200
committer: Robin Haberkorn <robin.haberkorn@googlemail.com> 2021-06-05 17:43:58 +0200
commit: ae913ab6275ff746439a2d99f8a1550ec2e511ff (patch)
tree: fade465796b86ab17b0d7d1bc6862386f685524e /src/search.c
parent: a5733728560d300774a4322ed18fc75b5946d4de (diff)
download: sciteco-ae913ab6275ff746439a2d99f8a1550ec2e511ff.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/src/search.c b/src/search.c
index 4c324a6..3ccecde 100644
--- a/src/search.c
+++ b/src/search.c
@@ -496,6 +496,15 @@ teco_do_search(GRegex *re, gint from, gint to, gint *count, GError **error)
 		gsize matched_size = sizeof(teco_range_t) * -*count;
 
 		/*
+		 * matched_size could overflow.
+		 * NOTE: Glib 2.48 has g_size_checked_mul() which uses
+		 * compiler intrinsics.
+		 */
+		if (matched_size / sizeof(teco_range_t) != -*count)
+			/* guaranteed to fail either teco_memory_check() or g_malloc() */
+			matched_size = G_MAXSIZE;
+
+		/*
 		 * NOTE: It's theoretically possible that the allocation of the `matched`
 		 * array causes an OOM if (-count) is large enough and regular
 		 * memory limiting in teco_machine_main_step() wouldn't help.
author	Robin Haberkorn <robin.haberkorn@googlemail.com>	2021-06-05 17:43:58 +0200
committer	Robin Haberkorn <robin.haberkorn@googlemail.com>	2021-06-05 17:43:58 +0200
commit	ae913ab6275ff746439a2d99f8a1550ec2e511ff (patch)
tree	fade465796b86ab17b0d7d1bc6862386f685524e /src/search.c
parent	a5733728560d300774a4322ed18fc75b5946d4de (diff)
download	sciteco-ae913ab6275ff746439a2d99f8a1550ec2e511ff.tar.gz