From d2e639dd5a5586e1daad32d30624d98c2805ffb6 Mon Sep 17 00:00:00 2001
From: Paul Eggert <address@hidden>
Date: Fri, 16 Dec 2016 09:34:02 -0800
Subject: [PATCH] regex: fix integer-overflow bug in never-used code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem reported by Clément Pit–Claudel in:
http://lists.gnu.org/archive/html/emacs-devel/2016-12/msg00654.html
* lib/regex_internal.h: Include intprops.h.
* lib/regexec.c (re_search_2_stub): Use it to avoid undefined
behavior on integer overflow.
* modules/regex (Depends-on): Add intprops.
---
 ChangeLog            | 8 ++++++++
 lib/regex_internal.h | 2 ++
 lib/regexec.c        | 6 ++++--
 modules/regex        | 1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index dd67dba..c588296 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2016-12-16  Paul Eggert  <address@hidden>
 
+	regex: fix integer-overflow bug in never-used code
+	Problem reported by Clément Pit–Claudel in:
+	http://lists.gnu.org/archive/html/emacs-devel/2016-12/msg00654.html
+	* lib/regex_internal.h: Include intprops.h.
+	* lib/regexec.c (re_search_2_stub): Use it to avoid undefined
+	behavior on integer overflow.
+	* modules/regex (Depends-on): Add intprops.
+
 	fpending: fix port to MinGW on Emacs
 	* lib/stdio-impl.h [__MINGW32__]: Do not include errno.h.
 	Problem reported by Eli Zaretskii in:
diff --git a/lib/regex_internal.h b/lib/regex_internal.h
index 56a315a..7ac5f92 100644
--- a/lib/regex_internal.h
+++ b/lib/regex_internal.h
@@ -33,6 +33,8 @@
 #include <stdbool.h>
 #include <stdint.h>
 
+#include "intprops.h"
+
 #ifdef _LIBC
 # include <libc-lock.h>
 # define lock_define(name) __libc_lock_define (, name)
diff --git a/lib/regexec.c b/lib/regexec.c
index afdc173..f1e61af 100644
--- a/lib/regexec.c
+++ b/lib/regexec.c
@@ -354,10 +354,12 @@ re_search_2_stub (struct re_pattern_buffer *bufp, const char *string1,
 {
   const char *str;
   regoff_t rval;
-  Idx len = length1 + length2;
+  Idx len;
   char *s = NULL;
 
-  if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
+  if (BE ((length1 < 0 || length2 < 0 || stop < 0
+           || INT_ADD_WRAPV (length1, length2, &len)),
+          0))
     return -2;
 
   /* Concatenate the strings.  */
diff --git a/modules/regex b/modules/regex
index c5ae1b2..e1c9b58 100644
--- a/modules/regex
+++ b/modules/regex
@@ -18,6 +18,7 @@ ssize_t
 alloca-opt      [test $ac_use_included_regex = yes]
 btowc           [test $ac_use_included_regex = yes]
 gettext-h       [test $ac_use_included_regex = yes]
+intprops        [test $ac_use_included_regex = yes]
 lock      [test "$ac_cv_gnu_library_2_1:$ac_use_included_regex" = no:yes]
 memcmp          [test $ac_use_included_regex = yes]
 memmove         [test $ac_use_included_regex = yes]
-- 
2.7.4