On Fri, Sep 09, 2016 at 11:45:01AM +0200, Johannes Schindelin wrote:
> > I mentioned elsewhere that I'd prefer we just push people into using
> > compat/regex if they don't have REG_STARTEND. But if we _do_ keep this
> > fallback, note that the above has a buffer overflow (think what happens
> > when "size" is the maximum value for a size_t). You can avoid it by
> > using xmallocz().
> That buffer overflow does not exist: If size were the maximum value for
> size_t, then buf->ptr would point at a buffer that occupies the entire
> available memory, meaning that there is no space left for buf->ptr, let
> alone for buf.
True. I fixed quite a lot of these last summer, but they are only really
dangerous when we have not already allocated the buffer.
> But I get your point. It is better to be consistent and use the same logic
> for *all* allocations.
Yep. Also, it is easier to audit if you do not have to trace back and
see that even though we do overflow the argument to malloc, it can't
happen because of memory constraints (this one is fairly obvious, but
quite a few that I fixed previously involved complicated reasoning about
how much RAM you could use).