about summary refs log tree commit diff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2010-01-22 09:48:35 -0800
committerUlrich Drepper <drepper@redhat.com>2010-01-22 09:48:35 -0800
commit22364644882b6cf426ed13be5b6480c3a9210eb1 (patch)
tree57908032218d730f63226bbc1c87d5969d455bf4
parent54dd0ab31fe2b2168ba1a6180a0c05941fb54b3c (diff)
downloadglibc-22364644882b6cf426ed13be5b6480c3a9210eb1.tar.gz
glibc-22364644882b6cf426ed13be5b6480c3a9210eb1.tar.xz
glibc-22364644882b6cf426ed13be5b6480c3a9210eb1.zip
Extend overflow detection in re_dfa_add_node.
-rw-r--r--ChangeLog5
-rw-r--r--posix/regex_internal.c7
2 files changed, 10 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 7afc90cde6..98c36d5012 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>
 
+	[BZ #11184]
+	* posix/regex_internal.c (re_dfa_add_node): Extend the overflow
+	detection test.  Patch by Paul Eggert.
+
+	[BZ #11183]
 	* posix/regex_internal.c (re_string_realloc_buffers):
 	Detect and handle internal overflow.  Patch by Paul Eggert
 
diff --git a/posix/regex_internal.c b/posix/regex_internal.c
index 690ed8d8b7..67c174a824 100644
--- a/posix/regex_internal.c
+++ b/posix/regex_internal.c
@@ -1411,8 +1411,11 @@ re_dfa_add_node (re_dfa_t *dfa, re_token_t token)
       re_node_set *new_edests, *new_eclosures;
       re_token_t *new_nodes;
 
-      /* Avoid overflows.  */
-      if (BE (new_nodes_alloc < dfa->nodes_alloc, 0))
+      /* Avoid overflows in realloc.  */
+      const size_t max_object_size = MAX (sizeof (re_token_t),
+					  MAX (sizeof (re_node_set),
+					       sizeof (int)));
+      if (BE (SIZE_MAX / max_object_size < new_nodes_alloc, 0))
 	return -1;
 
       new_nodes = re_realloc (dfa->nodes, re_token_t, new_nodes_alloc);