regex: avoid internal re_realloc overflow

(cherry picked from commit 54dd0ab31fe2b2168ba1a6180a0c05941fb54b3c)
author: Ulrich Drepper <drepper@redhat.com> 2010-01-22 09:33:01 -0800
committer: Petr Baudis <pasky@ucw.cz> 2010-05-12 01:33:46 +0200
commit: 5238213a22c9e64eff78e1eda1763c6c4bf52bcd (patch)
tree: 2308d9c68f9f4a9b97b4b93c77c38f6fdb49b820 /posix
parent: b95387484e410a20334919b250f1614be468e41c (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/posix/regex_internal.c b/posix/regex_internal.c
index c9da2b961c..fec3123054 100644
--- a/posix/regex_internal.c
+++ b/posix/regex_internal.c
@@ -133,7 +133,14 @@ re_string_realloc_buffers (re_string_t *pstr, int new_buf_len)
 #ifdef RE_ENABLE_I18N
   if (pstr->mb_cur_max > 1)
     {
-      wint_t *new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
+      wint_t *new_wcs;
+
+      /* Avoid overflow in realloc.  */
+      const size_t max_object_size = MAX (sizeof (wint_t), sizeof (int));
+      if (BE (SIZE_MAX / max_object_size < new_buf_len, 0))
+	return REG_ESPACE;
+
+      new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
       if (BE (new_wcs == NULL, 0))
 	return REG_ESPACE;
       pstr->wcs = new_wcs;
author	Ulrich Drepper <drepper@redhat.com>	2010-01-22 09:33:01 -0800
committer	Petr Baudis <pasky@ucw.cz>	2010-05-12 01:33:46 +0200
commit	5238213a22c9e64eff78e1eda1763c6c4bf52bcd (patch)
tree	2308d9c68f9f4a9b97b4b93c77c38f6fdb49b820 /posix
parent	b95387484e410a20334919b250f1614be468e41c (diff)