prune_impossible_nodes: Avoid overflow in computing re_malloc buffer size

author Paul Eggert <eggert@cs.ucla.edu>

Fri, 22 Jan 2010 20:03:56 +0000 (12:03 -0800)

committer Ulrich Drepper <drepper@redhat.com>

Fri, 22 Jan 2010 20:03:56 +0000 (12:03 -0800)
author Paul Eggert <eggert@cs.ucla.edu>
Fri, 22 Jan 2010 20:03:56 +0000 (12:03 -0800)
committer Ulrich Drepper <drepper@redhat.com>
Fri, 22 Jan 2010 20:03:56 +0000 (12:03 -0800)
diff --git a/ChangeLog b/ChangeLog

index 9b3fe33..1975f6d 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
  2010-01-22  Jim Meyering  <jim@meyering.net>
  
+       [BZ #11189]
+       * posix/regexec.c (prune_impossible_nodes): Avoid overflow
+       in computing re_malloc buffer size.
+
         [BZ #11188]
         * posix/regexec.c (build_trtable): Avoid arithmetic overflow
         in size calculation.
diff --git a/posix/regexec.c b/posix/regexec.c

index 3765d00..a3a7a60 100644 (file)
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -949,6 +949,11 @@ prune_impossible_nodes (mctx)
  #endif
    match_last = mctx->match_last;
    halt_node = mctx->last_node;
+
+  /* Avoid overflow.  */
+  if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0))
+    return REG_ESPACE;
+
    sifted_states = re_malloc (re_dfastate_t *, match_last + 1);
    if (BE (sifted_states == NULL, 0))
      {
author	Paul Eggert <eggert@cs.ucla.edu>
	Fri, 22 Jan 2010 20:03:56 +0000 (12:03 -0800)
committer	Ulrich Drepper <drepper@redhat.com>
	Fri, 22 Jan 2010 20:03:56 +0000 (12:03 -0800)
ChangeLog		patch \| blob \| history
posix/regexec.c		patch \| blob \| history