diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2010-01-22 10:52:38 -0800 |
|---|---|---|
| committer | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 10:52:38 -0800 |
| commit | daa8454919de6c4e8b914c5d45276abd20baab08 (patch) | |
| tree | 6cfa85d7ad5f6eaacc531ff168bb9045830a1d59 | |
| parent | d044d844dd011bb26317ac36da2d22ebe19621b1 (diff) | |
| download | glibc-daa8454919de6c4e8b914c5d45276abd20baab08.tar glibc-daa8454919de6c4e8b914c5d45276abd20baab08.tar.gz glibc-daa8454919de6c4e8b914c5d45276abd20baab08.tar.bz2 glibc-daa8454919de6c4e8b914c5d45276abd20baab08.zip | |
regexec.c: avoid arithmetic overflow in buffer size calculation
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | posix/regexec.c | 7 |
2 files changed, 11 insertions, 0 deletions
@@ -1,5 +1,9 @@ 2010-01-22 Jim Meyering <jim@meyering.net> + [BZ #11188] + * posix/regexec.c (build_trtable): Avoid arithmetic overflow + in size calculation. + [BZ #11187] * posix/regexec.c (re_search_2_stub): Use simpler method than boolean for freeing internal storage. diff --git a/posix/regexec.c b/posix/regexec.c index c7d0b37ef5..3765d00ffd 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -3359,6 +3359,13 @@ build_trtable (const re_dfa_t *dfa, re_dfastate_t *state) if (BE (err != REG_NOERROR, 0)) goto out_free; + /* Avoid arithmetic overflow in size calculation. */ + if (BE ((((SIZE_MAX - (sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX) + / (3 * sizeof (re_dfastate_t *))) + < ndests), + 0)) + goto out_free; + if (__libc_use_alloca ((sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX + ndests * 3 * sizeof (re_dfastate_t *))) dest_states = (re_dfastate_t **) |