diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2010-01-22 12:22:18 -0800 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 12:22:18 -0800 |
commit | 42a2c9b5c3c92f7e2f556d7bc9dc80e557484574 (patch) | |
tree | c813ae09a934ebd6900f320b7d31baebfd347ad8 | |
parent | eadc09f22cd81dd0153fba0fd8514261ea9b4196 (diff) | |
download | glibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.tar glibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.tar.gz glibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.tar.bz2 glibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.zip |
regexec.c: avoid overflow in computing sum of lengths
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | posix/regexec.c | 2 |
2 files changed, 5 insertions, 1 deletions
@@ -1,5 +1,9 @@ 2010-01-22 Jim Meyering <jim@meyering.net> + [BZ #11191] + * posix/regexec.c (re_search_2_stub): Check for overflow + when adding the sizes of the two strings. + [BZ #11190] * posix/regexec.c (re_search_internal): Avoid overflow in computing re_malloc buffer size. diff --git a/posix/regexec.c b/posix/regexec.c index 11f3d31128..bad52ac2e0 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -370,7 +370,7 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs, int len = length1 + length2; char *s = NULL; - if (BE (length1 < 0 || length2 < 0 || stop < 0, 0)) + if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0)) return -2; /* Concatenate the strings. */ |