#13036 closed Bugs (fixed)

Boost.Regex: Integer overflow during calculation of max_state_count

Reported by: anonymous Owned by: John Maddock
Milestone: To Be Determined Component: regex
Version: Boost Development Trunk Severity: Problem
Keywords: regex max_state_count Cc:


template <class BidiIterator, class Allocator, class traits>
void perl_matcher<BidiIterator, Allocator, traits>::estimate_max_state_count(std::random_access_iterator_tag*)
   std::ptrdiff_t states = re.size();
   if(states == 0)
      states = 1;
   states *= states; // overflows here on 32bit platforms 
                     // if regex string length greater than 2**16 

Attachments (1)

bug_13036.cc (858 bytes) - added by Brian Minard <bminard@…> 18 months ago.

Download all attachments as: .zip

Change History (4)

Changed 18 months ago by Brian Minard <bminard@…>

Attachment: bug_13036.cc added


comment:1 Changed 18 months ago by Brian Minard <bminard@…>

I did not report this issue, but have attached a reproducer. A patch: https://github.com/boostorg/regex/pull/32.

FWIW, overflow occurs when the states variable is greater than sqrt(231) (on a 32-bit platform).

The value of the states variable is implementation dependent whenever re.size() returns a value greater than std::numeric_limits<std::ptrdiff_t>::max() (size() method returns a value of type std::size_t.)

comment:2 Changed 17 months ago by John Maddock

Component: Noneregex
Owner: set to John Maddock

Will investigate.

comment:3 Changed 17 months ago by John Maddock

Resolution: fixed
Status: newclosed

Fixed in https://github.com/boostorg/regex/commit/bc9b25b5d3c3784543158510c6087d41739ab64a.

I didn't use your PR because the change from signed to unsigned integer introduces other pitfalls (signed/unsigned comparisons).

Note: See TracTickets for help on using tickets.