diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2010-01-22 12:41:12 -0800 |
|---|---|---|
| committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 12:41:12 -0800 |
| commit | aef699dce14a56ff0f212f533e5ea485d3cec96a (patch) | |
| tree | 99353c1327b3979272d8a339663fe08d878fe482 | |
| parent | 74bc9f14db655d2fdc9018d396af326e9b9bdf3f (diff) | |
| download | glibc-aef699dce14a56ff0f212f533e5ea485d3cec96a.tar glibc-aef699dce14a56ff0f212f533e5ea485d3cec96a.tar.gz glibc-aef699dce14a56ff0f212f533e5ea485d3cec96a.tar.bz2 glibc-aef699dce14a56ff0f212f533e5ea485d3cec96a.zip | |
regexec.c: avoid overflow in realloc buffer length computation
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | posix/regexec.c | 4 |
2 files changed, 8 insertions, 0 deletions
@@ -1,5 +1,9 @@ 2010-01-22 Jim Meyering <jim@meyering.net> + [BZ #11193] + * posix/regexec.c (extend_buffers): Avoid overflow in realloc + buffer length computation. + [BZ #11192] * posix/regexec.c (re_copy_regs): Don't leak when allocation of the start buffer succeeds but allocation of the "end" one fails. diff --git a/posix/regexec.c b/posix/regexec.c index 949c170ebd..f87701672b 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx) reg_errcode_t ret; re_string_t *pstr = &mctx->input; + /* Avoid overflow. */ + if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0)) + return REG_ESPACE; + /* Double the lengthes of the buffers. */ ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2); if (BE (ret != REG_NOERROR, 0)) |