<regex>
: Fix integer overflow in _Buf
and implement geometric buffer expansion
#5175
+35
−12
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes an undetected integer overflow in
_Buf::_Insert(_Elem)
when increasing the buffer size.It's unlikely anyone ever ran into this bug in practice, since the overflow could only happen following about$2^{28}$ reallocations, but if one were to wait long enough,
_Buf
would write to and read from unallocated memory.Since fixing the overflow bug meant rewriting the size calculations anyway, I also quickly added three lines to implement geometric expansion of the buffer, ensuring that inserting a new character runs in amortized constant rather than linear time. The selected growth factor is 1.5, same as
vector
's. (The geometric expansion kicks in when more than 48 characters are inserted into a character buffer. I think most practically used regular expressions don't even get close to adding 48 characters to one of these buffers.)Finally, this PR makes
_Buf
throw aregex_error
with error codeerror_space
on allocation failure, which I think is the more appropriate exception when running out of memory while parsing a regular expression and building the corresponding NFA. But feel free to change this tobad_alloc
etc. if you prefer these exceptions instead.No tests added since they would require about 8 GB of virtual memory and run for several minutes, but here is a small x64 test program to see that overflow is handled correctly now: