2010-01-22 Jim Meyering <jim@meyering.net>
+ [BZ #11189]
+ * posix/regexec.c (prune_impossible_nodes): Avoid overflow
+ in computing re_malloc buffer size.
+
[BZ #11188]
* posix/regexec.c (build_trtable): Avoid arithmetic overflow
in size calculation.
#endif
match_last = mctx->match_last;
halt_node = mctx->last_node;
+
+ /* Avoid overflow. */
+ if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0))
+ return REG_ESPACE;
+
sifted_states = re_malloc (re_dfastate_t *, match_last + 1);
if (BE (sifted_states == NULL, 0))
{