diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2010-01-22 12:15:53 -0800 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 12:15:53 -0800 |
commit | eadc09f22cd81dd0153fba0fd8514261ea9b4196 (patch) | |
tree | f9d60b20a484365fb497fe9fc8d7b545d3a0a116 /posix/regexec.c | |
parent | 4cd028677b55c8be454bb06f0b28a8b41beffe9b (diff) | |
download | glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.tar.gz glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.tar.xz glibc-eadc09f22cd81dd0153fba0fd8514261ea9b4196.zip |
re_search_internal: Avoid overflow in computing re_malloc buffer size
Diffstat (limited to 'posix/regexec.c')
-rw-r--r-- | posix/regexec.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/posix/regexec.c b/posix/regexec.c index a3a7a60d09..11f3d31128 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch, multi character collating element. */ if (nmatch > 1 || dfa->has_mb_node) { + /* Avoid overflow. */ + if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0)) + { + err = REG_ESPACE; + goto free_return; + } + mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1); if (BE (mctx.state_log == NULL, 0)) { |