From daa8454919de6c4e8b914c5d45276abd20baab08 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 10:52:38 -0800
Subject: regexec.c: avoid arithmetic overflow in buffer size calculation

---
 posix/regexec.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'posix')

diff --git a/posix/regexec.c b/posix/regexec.c
index c7d0b37ef5..3765d00ffd 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -3359,6 +3359,13 @@ build_trtable (const re_dfa_t *dfa, re_dfastate_t *state)
   if (BE (err != REG_NOERROR, 0))
     goto out_free;
 
+  /* Avoid arithmetic overflow in size calculation.  */
+  if (BE ((((SIZE_MAX - (sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX)
+	    / (3 * sizeof (re_dfastate_t *)))
+	   < ndests),
+	  0))
+    goto out_free;
+
   if (__libc_use_alloca ((sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX
 			 + ndests * 3 * sizeof (re_dfastate_t *)))
     dest_states = (re_dfastate_t **)
-- 
cgit v1.2.3