Re: [PATCH v2 1/2] lib/ts_bm: fix integer overflow in pattern length calculation
From: Andrew Morton
Date: Sun Mar 08 2026 - 15:55:28 EST
On Sun, 8 Mar 2026 18:10:53 +0000 Josh Law <hlcj1234567@xxxxxxxxx> wrote:
> From: Josh Law <objecting@xxxxxxxxxxxxx>
>
> The ts_bm algorithm computes the required allocation size by
> multiplying the pattern length by the size of an integer. If the
> pattern length is sufficiently large, this can overflow the 32-bit
> unsigned int before it is widened to size_t. This could result in an
> undersized allocation and a subsequent heap buffer overflow when
> copying the pattern.
>
> Fix this by explicitly checking that the length does not exceed
> the maximum safe threshold before calculating the buffer sizes.
>
> ...
>
> --- a/lib/ts_bm.c
> +++ b/lib/ts_bm.c
> @@ -166,6 +166,9 @@ static struct ts_config *bm_init(const void *pattern, unsigned int len,
> unsigned int prefix_tbl_len = len * sizeof(unsigned int);
> size_t priv_size = sizeof(*bm) + len + prefix_tbl_len;
The above description is referring to this expression?
I think the uints will be promoted to size_t before the addition occurs?
If you're referring to the prefix_tbl_len initialization then yes,
overflow could happen.
> + if (unlikely(len == 0 || len > (UINT_MAX - sizeof(*bm)) / (sizeof(unsigned int) + 1)))
> + return ERR_PTR(-EINVAL);
Seems odd to perform these (uncommented!) checks after having performed
the problematic operations. Something like:
unsigned int prefix_tbl_len;
size_t priv_size;
/* Explanatory comment goes here */
/* Can this actually happen? */
if (unlikely(len == 0))
return ERR_PTR(-EINVAL);
/* Explanatory comment goes here */
if (unlikely(len > (UINT_MAX - sizeof(*bm)) / (sizeof(unsigned int) + 1))
return ERR_PTR(-EINVAL);
prefix_tbl_len = len * sizeof(unsigned int);
priv_size = sizeof(*bm) + len + prefix_tbl_len;
Also, please check the various helpers in overflow.h.