glibc regex.c mishandles integer overflow in interval expressions

[Paul Eggert]

glibc regex.c doesn't detect integer overflow in interval expressions.
Here's a shell script illustrating the bug, using GNU grep compiled
with glibc regexp on a 32-bit host:

  $ echo abc | egrep 'ab{4294967297}c'
  abc

egrep should report an overflow, but regex.c silently substitutes 1
for 4294967297.

I found this bug while merging the '{'-handling code of GNU grep into
glibc.  I'll submit a patch for that more important issue soon.  The
two problems are somewhat related, since GNU egrep extends POSIX
slightly, and in some cases treats '{4294967297}' as if it were
'\{4294967297\}' for backward compatibility reasons.  However, this
overflow fix is separable from the other patch.

2001-03-21  Paul Eggert  <address@hidden>

        * posix/regex.c (GET_UNSIGNED_NUMBER): Check for overflow.
        Rewrite to avoid duplicate code.

===================================================================
RCS file: regex.c,v
retrieving revision 1.91
retrieving revision 1.91.0.1
diff -pu -r1.91 -r1.91.0.1
--- regex.c     2001/02/15 21:23:10     1.91
+++ regex.c     2001/03/22 02:42:43     1.91.0.1
@@ -2139,20 +2139,20 @@ typedef struct
 
 /* Get the next unsigned number in the uncompiled pattern.  */
 #define GET_UNSIGNED_NUMBER(num)                                       \
-  { if (p != pend)                                                     \
-     {                                                                 \
-       PATFETCH (c);                                                   \
-       while ('0' <= c && c <= '9')                                    \
-         {                                                             \
-           if (num < 0)                                                        
\
-              num = 0;                                                 \
-           num = num * 10 + c - '0';                                   \
-           if (p == pend)                                              \
-              break;                                                   \
-           PATFETCH (c);                                               \
-         }                                                             \
-       }                                                               \
-    }
+  {                                                                    \
+    while (p != pend)                                                  \
+      {                                                                        
\
+       PATFETCH (c);                                                   \
+       if (! ('0' <= c && c <= '9'))                                   \
+         break;                                                        \
+       if (num <= RE_DUP_MAX)                                          \
+         {                                                             \
+           if (num < 0)                                                \
+             num = 0;                                                  \
+           num = num * 10 + c - '0';                                   \
+         }                                                             \
+      }                                                                        
\
+  }
 
 #if defined _LIBC || WIDE_CHAR_SUPPORT
 /* The GNU C library provides support for user-defined character classes