about summary refs log tree commit diff
diff options
context:
space:
mode:
authorPaul Eggert <eggert@cs.ucla.edu>2010-01-22 12:03:56 -0800
committerUlrich Drepper <drepper@redhat.com>2010-01-22 12:03:56 -0800
commit4cd028677b55c8be454bb06f0b28a8b41beffe9b (patch)
tree38a0431e4d99c6220ed4ea92abdebffb8439b5eb
parentdaa8454919de6c4e8b914c5d45276abd20baab08 (diff)
downloadglibc-4cd028677b55c8be454bb06f0b28a8b41beffe9b.tar.gz
glibc-4cd028677b55c8be454bb06f0b28a8b41beffe9b.tar.xz
glibc-4cd028677b55c8be454bb06f0b28a8b41beffe9b.zip
prune_impossible_nodes: Avoid overflow in computing re_malloc buffer size
-rw-r--r--ChangeLog4
-rw-r--r--posix/regexec.c5
2 files changed, 9 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 9b3fe33f55..1975f6def7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>
 
+	[BZ #11189]
+	* posix/regexec.c (prune_impossible_nodes): Avoid overflow
+	in computing re_malloc buffer size.
+
 	[BZ #11188]
 	* posix/regexec.c (build_trtable): Avoid arithmetic overflow
 	in size calculation.
diff --git a/posix/regexec.c b/posix/regexec.c
index 3765d00ffd..a3a7a60d09 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -949,6 +949,11 @@ prune_impossible_nodes (mctx)
 #endif
   match_last = mctx->match_last;
   halt_node = mctx->last_node;
+
+  /* Avoid overflow.  */
+  if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0))
+    return REG_ESPACE;
+
   sifted_states = re_malloc (re_dfastate_t *, match_last + 1);
   if (BE (sifted_states == NULL, 0))
     {