regexec.c: avoid overflow in realloc buffer length computation

author: Paul Eggert <eggert@cs.ucla.edu> 2010-01-22 12:41:12 -0800
committer: Ulrich Drepper <drepper@redhat.com> 2010-01-22 12:41:12 -0800
commit: aef699dce14a56ff0f212f533e5ea485d3cec96a (patch)
tree: 99353c1327b3979272d8a339663fe08d878fe482
parent: 74bc9f14db655d2fdc9018d396af326e9b9bdf3f (diff)
2 files changed, 8 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 969326dbfb..91725d52a4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>
 
+	[BZ #11193]
+	* posix/regexec.c (extend_buffers): Avoid overflow in realloc
+	buffer length computation.
+
 	[BZ #11192]
 	* posix/regexec.c (re_copy_regs): Don't leak when allocation
 	of the start buffer succeeds but allocation of the "end" one fails.
diff --git a/posix/regexec.c b/posix/regexec.c
index 949c170ebd..f87701672b 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx)
   reg_errcode_t ret;
   re_string_t *pstr = &mctx->input;
 
+  /* Avoid overflow.  */
+  if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+    return REG_ESPACE;
+
   /* Double the lengthes of the buffers.  */
   ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
   if (BE (ret != REG_NOERROR, 0))
author	Paul Eggert <eggert@cs.ucla.edu>	2010-01-22 12:41:12 -0800
committer	Ulrich Drepper <drepper@redhat.com>	2010-01-22 12:41:12 -0800
commit	aef699dce14a56ff0f212f533e5ea485d3cec96a (patch)
tree	99353c1327b3979272d8a339663fe08d878fe482
parent	74bc9f14db655d2fdc9018d396af326e9b9bdf3f (diff)