diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2010-01-22 12:41:12 -0800 |
|---|---|---|
| committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 12:41:12 -0800 |
| commit | aef699dce14a56ff0f212f533e5ea485d3cec96a (patch) | |
| tree | 99353c1327b3979272d8a339663fe08d878fe482 /posix/regexec.c | |
| parent | 74bc9f14db655d2fdc9018d396af326e9b9bdf3f (diff) | |
| download | glibc-aef699dce14a56ff0f212f533e5ea485d3cec96a.tar.gz glibc-aef699dce14a56ff0f212f533e5ea485d3cec96a.tar.xz glibc-aef699dce14a56ff0f212f533e5ea485d3cec96a.zip | |
regexec.c: avoid overflow in realloc buffer length computation
Diffstat (limited to 'posix/regexec.c')
| -rw-r--r-- | posix/regexec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/posix/regexec.c b/posix/regexec.c index 949c170ebd..f87701672b 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx) reg_errcode_t ret; re_string_t *pstr = &mctx->input; + /* Avoid overflow. */ + if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0)) + return REG_ESPACE; + /* Double the lengthes of the buffers. */ ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2); if (BE (ret != REG_NOERROR, 0)) |