From 4cd028677b55c8be454bb06f0b28a8b41beffe9b Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 12:03:56 -0800
Subject: prune_impossible_nodes: Avoid overflow in computing re_malloc buffer
 size

---
 posix/regexec.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'posix')

diff --git a/posix/regexec.c b/posix/regexec.c
index 3765d00ffd..a3a7a60d09 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -949,6 +949,11 @@ prune_impossible_nodes (mctx)
 #endif
   match_last = mctx->match_last;
   halt_node = mctx->last_node;
+
+  /* Avoid overflow.  */
+  if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0))
+    return REG_ESPACE;
+
   sifted_states = re_malloc (re_dfastate_t *, match_last + 1);
   if (BE (sifted_states == NULL, 0))
     {
-- 
cgit 1.4.1