diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2010-01-22 12:03:56 -0800 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 12:03:56 -0800 |
commit | 4cd028677b55c8be454bb06f0b28a8b41beffe9b (patch) | |
tree | 38a0431e4d99c6220ed4ea92abdebffb8439b5eb | |
parent | daa8454919de6c4e8b914c5d45276abd20baab08 (diff) | |
download | glibc-4cd028677b55c8be454bb06f0b28a8b41beffe9b.tar.gz glibc-4cd028677b55c8be454bb06f0b28a8b41beffe9b.tar.xz glibc-4cd028677b55c8be454bb06f0b28a8b41beffe9b.zip |
prune_impossible_nodes: Avoid overflow in computing re_malloc buffer size
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | posix/regexec.c | 5 |
2 files changed, 9 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index 9b3fe33f55..1975f6def7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2010-01-22 Jim Meyering <jim@meyering.net> + [BZ #11189] + * posix/regexec.c (prune_impossible_nodes): Avoid overflow + in computing re_malloc buffer size. + [BZ #11188] * posix/regexec.c (build_trtable): Avoid arithmetic overflow in size calculation. diff --git a/posix/regexec.c b/posix/regexec.c index 3765d00ffd..a3a7a60d09 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -949,6 +949,11 @@ prune_impossible_nodes (mctx) #endif match_last = mctx->match_last; halt_node = mctx->last_node; + + /* Avoid overflow. */ + if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0)) + return REG_ESPACE; + sifted_states = re_malloc (re_dfastate_t *, match_last + 1); if (BE (sifted_states == NULL, 0)) { |