diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | posix/regexec.c | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index 969326dbfb..91725d52a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2010-01-22 Jim Meyering <jim@meyering.net> + [BZ #11193] + * posix/regexec.c (extend_buffers): Avoid overflow in realloc + buffer length computation. + [BZ #11192] * posix/regexec.c (re_copy_regs): Don't leak when allocation of the start buffer succeeds but allocation of the "end" one fails. diff --git a/posix/regexec.c b/posix/regexec.c index 949c170ebd..f87701672b 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx) reg_errcode_t ret; re_string_t *pstr = &mctx->input; + /* Avoid overflow. */ + if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0)) + return REG_ESPACE; + /* Double the lengthes of the buffers. */ ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2); if (BE (ret != REG_NOERROR, 0)) |