diff options
author | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 09:33:01 -0800 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 09:33:01 -0800 |
commit | 54dd0ab31fe2b2168ba1a6180a0c05941fb54b3c (patch) | |
tree | 9e745910f1a8cfb928c6cfdaf812a672f6399d49 /posix | |
parent | e3b7670be21d6992e3ca9ee1ad3a5d08eb3a24c9 (diff) | |
download | glibc-54dd0ab31fe2b2168ba1a6180a0c05941fb54b3c.tar.gz glibc-54dd0ab31fe2b2168ba1a6180a0c05941fb54b3c.tar.xz glibc-54dd0ab31fe2b2168ba1a6180a0c05941fb54b3c.zip |
regex: avoid internal re_realloc overflow
Diffstat (limited to 'posix')
-rw-r--r-- | posix/regex_internal.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/posix/regex_internal.c b/posix/regex_internal.c index ff28e5fcb9..690ed8d8b7 100644 --- a/posix/regex_internal.c +++ b/posix/regex_internal.c @@ -133,7 +133,14 @@ re_string_realloc_buffers (re_string_t *pstr, int new_buf_len) #ifdef RE_ENABLE_I18N if (pstr->mb_cur_max > 1) { - wint_t *new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len); + wint_t *new_wcs; + + /* Avoid overflow in realloc. */ + const size_t max_object_size = MAX (sizeof (wint_t), sizeof (int)); + if (BE (SIZE_MAX / max_object_size < new_buf_len, 0)) + return REG_ESPACE; + + new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len); if (BE (new_wcs == NULL, 0)) return REG_ESPACE; pstr->wcs = new_wcs; |