From eadc09f22cd81dd0153fba0fd8514261ea9b4196 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 22 Jan 2010 12:15:53 -0800 Subject: re_search_internal: Avoid overflow in computing re_malloc buffer size --- posix/regexec.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'posix/regexec.c') diff --git a/posix/regexec.c b/posix/regexec.c index a3a7a60d09..11f3d31128 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch, multi character collating element. */ if (nmatch > 1 || dfa->has_mb_node) { + /* Avoid overflow. */ + if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0)) + { + err = REG_ESPACE; + goto free_return; + } + mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1); if (BE (mctx.state_log == NULL, 0)) { -- cgit v1.2.3-65-gdbad