aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Eggert <eggert@cs.ucla.edu>2010-01-22 12:22:18 -0800
committerUlrich Drepper <drepper@redhat.com>2010-01-22 12:22:18 -0800
commit42a2c9b5c3c92f7e2f556d7bc9dc80e557484574 (patch)
treec813ae09a934ebd6900f320b7d31baebfd347ad8
parenteadc09f22cd81dd0153fba0fd8514261ea9b4196 (diff)
downloadglibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.tar
glibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.tar.gz
glibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.tar.bz2
glibc-42a2c9b5c3c92f7e2f556d7bc9dc80e557484574.zip
regexec.c: avoid overflow in computing sum of lengths
-rw-r--r--ChangeLog4
-rw-r--r--posix/regexec.c2
2 files changed, 5 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 31251f16c9..e6167fae89 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
2010-01-22 Jim Meyering <jim@meyering.net>
+ [BZ #11191]
+ * posix/regexec.c (re_search_2_stub): Check for overflow
+ when adding the sizes of the two strings.
+
[BZ #11190]
* posix/regexec.c (re_search_internal): Avoid overflow
in computing re_malloc buffer size.
diff --git a/posix/regexec.c b/posix/regexec.c
index 11f3d31128..bad52ac2e0 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -370,7 +370,7 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs,
int len = length1 + length2;
char *s = NULL;
- if (BE (length1 < 0 || length2 < 0 || stop < 0, 0))
+ if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
return -2;
/* Concatenate the strings. */