Skip to content

Commit

Permalink
regexec.c: avoid overflow in realloc buffer length computation
Browse files Browse the repository at this point in the history
  • Loading branch information
Paul Eggert authored and Ulrich Drepper committed Jan 22, 2010
1 parent 74bc9f1 commit aef699d
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
2010-01-22 Jim Meyering <jim@meyering.net>

[BZ #11193]
* posix/regexec.c (extend_buffers): Avoid overflow in realloc
buffer length computation.

[BZ #11192]
* posix/regexec.c (re_copy_regs): Don't leak when allocation
of the start buffer succeeds but allocation of the "end" one fails.
Expand Down
4 changes: 4 additions & 0 deletions posix/regexec.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx)
reg_errcode_t ret;
re_string_t *pstr = &mctx->input;

/* Avoid overflow. */
if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
return REG_ESPACE;

/* Double the lengthes of the buffers. */
ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
if (BE (ret != REG_NOERROR, 0))
Expand Down

0 comments on commit aef699d

Please sign in to comment.