From 42a2c9b5c3c92f7e2f556d7bc9dc80e557484574 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 12:22:18 -0800
Subject: regexec.c: avoid overflow in computing sum of lengths

---
 posix/regexec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'posix/regexec.c')

diff --git a/posix/regexec.c b/posix/regexec.c
index 11f3d31128..bad52ac2e0 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -370,7 +370,7 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs,
   int len = length1 + length2;
   char *s = NULL;
 
-  if (BE (length1 < 0 || length2 < 0 || stop < 0, 0))
+  if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
     return -2;
 
   /* Concatenate the strings.  */
-- 
cgit 1.4.1