Skip to content

Commit

Permalink
re_search_internal: Avoid overflow in computing re_malloc buffer size
Browse files Browse the repository at this point in the history
  • Loading branch information
Paul Eggert authored and Ulrich Drepper committed Jan 22, 2010
1 parent 4cd0286 commit eadc09f
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
2010-01-22 Jim Meyering <jim@meyering.net>

[BZ #11190]
* posix/regexec.c (re_search_internal): Avoid overflow
in computing re_malloc buffer size.

[BZ #11189]
* posix/regexec.c (prune_impossible_nodes): Avoid overflow
in computing re_malloc buffer size.
Expand Down
7 changes: 7 additions & 0 deletions posix/regexec.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch,
multi character collating element. */
if (nmatch > 1 || dfa->has_mb_node)
{
/* Avoid overflow. */
if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
{
err = REG_ESPACE;
goto free_return;
}

mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
if (BE (mctx.state_log == NULL, 0))
{
Expand Down

0 comments on commit eadc09f

Please sign in to comment.