about summary refs log tree commit diff
path: root/posix/regexec.c
diff options
context:
space:
mode:
authorPaul Eggert <eggert@cs.ucla.edu>2010-01-22 12:15:53 -0800
committerUlrich Drepper <drepper@redhat.com>2010-01-22 12:15:53 -0800
commiteadc09f22cd81dd0153fba0fd8514261ea9b4196 (patch)
treef9d60b20a484365fb497fe9fc8d7b545d3a0a116 /posix/regexec.c
parent4cd028677b55c8be454bb06f0b28a8b41beffe9b (diff)
downloadglibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.tar.gz
glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.tar.xz
glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.zip
re_search_internal: Avoid overflow in computing re_malloc buffer size
Diffstat (limited to 'posix/regexec.c')
-rw-r--r--posix/regexec.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/posix/regexec.c b/posix/regexec.c
index a3a7a60d09..11f3d31128 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch,
      multi character collating element.  */
   if (nmatch > 1 || dfa->has_mb_node)
     {
+      /* Avoid overflow.  */
+      if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+	{
+	  err = REG_ESPACE;
+	  goto free_return;
+	}
+
       mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
       if (BE (mctx.state_log == NULL, 0))
 	{