Skip to content

Commit

Permalink
regexec.c: avoid arithmetic overflow in buffer size calculation
Browse files Browse the repository at this point in the history
  • Loading branch information
Paul Eggert authored and Ulrich Drepper committed Jan 22, 2010
1 parent d044d84 commit daa8454
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
2010-01-22 Jim Meyering <jim@meyering.net>

[BZ #11188]
* posix/regexec.c (build_trtable): Avoid arithmetic overflow
in size calculation.

[BZ #11187]
* posix/regexec.c (re_search_2_stub): Use simpler method than
boolean for freeing internal storage.
Expand Down
7 changes: 7 additions & 0 deletions posix/regexec.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3359,6 +3359,13 @@ build_trtable (const re_dfa_t *dfa, re_dfastate_t *state)
if (BE (err != REG_NOERROR, 0))
goto out_free;

/* Avoid arithmetic overflow in size calculation. */
if (BE ((((SIZE_MAX - (sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX)
/ (3 * sizeof (re_dfastate_t *)))
< ndests),
0))
goto out_free;

if (__libc_use_alloca ((sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX
+ ndests * 3 * sizeof (re_dfastate_t *)))
dest_states = (re_dfastate_t **)
Expand Down

0 comments on commit daa8454

Please sign in to comment.