diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2010-01-22 12:15:53 -0800 |
|---|---|---|
| committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 12:15:53 -0800 |
| commit | eadc09f22cd81dd0153fba0fd8514261ea9b4196 (patch) | |
| tree | f9d60b20a484365fb497fe9fc8d7b545d3a0a116 | |
| parent | 4cd028677b55c8be454bb06f0b28a8b41beffe9b (diff) | |
| download | glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.tar.gz glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.tar.xz glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.zip | |
re_search_internal: Avoid overflow in computing re_malloc buffer size
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | posix/regexec.c | 7 |
2 files changed, 11 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index 1975f6def7..31251f16c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2010-01-22 Jim Meyering <jim@meyering.net> + [BZ #11190] + * posix/regexec.c (re_search_internal): Avoid overflow + in computing re_malloc buffer size. + [BZ #11189] * posix/regexec.c (prune_impossible_nodes): Avoid overflow in computing re_malloc buffer size. diff --git a/posix/regexec.c b/posix/regexec.c index a3a7a60d09..11f3d31128 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch, multi character collating element. */ if (nmatch > 1 || dfa->has_mb_node) { + /* Avoid overflow. */ + if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0)) + { + err = REG_ESPACE; + goto free_return; + } + mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1); if (BE (mctx.state_log == NULL, 0)) { |