From eadc09f22cd81dd0153fba0fd8514261ea9b4196 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 12:15:53 -0800
Subject: re_search_internal: Avoid overflow in computing re_malloc buffer size

---
 posix/regexec.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'posix/regexec.c')

diff --git a/posix/regexec.c b/posix/regexec.c
index a3a7a60d09..11f3d31128 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch,
      multi character collating element.  */
   if (nmatch > 1 || dfa->has_mb_node)
     {
+      /* Avoid overflow.  */
+      if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+	{
+	  err = REG_ESPACE;
+	  goto free_return;
+	}
+
       mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
       if (BE (mctx.state_log == NULL, 0))
 	{
-- 
cgit 1.4.1