regex: avoid internal re_realloc overflow

author Ulrich Drepper <drepper@redhat.com>

Fri, 22 Jan 2010 17:33:01 +0000 (09:33 -0800)

committer Ulrich Drepper <drepper@redhat.com>

Fri, 22 Jan 2010 17:33:01 +0000 (09:33 -0800)
author Ulrich Drepper <drepper@redhat.com>
Fri, 22 Jan 2010 17:33:01 +0000 (09:33 -0800)
committer Ulrich Drepper <drepper@redhat.com>
Fri, 22 Jan 2010 17:33:01 +0000 (09:33 -0800)
diff --git a/ChangeLog b/ChangeLog

index 75c3043..7afc90c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2010-01-22  Jim Meyering  <jim@meyering.net>
+
+       * posix/regex_internal.c (re_string_realloc_buffers):
+       Detect and handle internal overflow.  Patch by Paul Eggert
+
  2010-01-20  Andreas Schwab  <schwab@redhat.com>
  
         * sysdeps/unix/sysv/linux/s390/s390-32/____longjmp_chk.c
diff --git a/posix/regex_internal.c b/posix/regex_internal.c

index ff28e5f..690ed8d 100644 (file)
--- a/posix/regex_internal.c
+++ b/posix/regex_internal.c
@@ -133,7 +133,14 @@ re_string_realloc_buffers (re_string_t *pstr, int new_buf_len)
  #ifdef RE_ENABLE_I18N
    if (pstr->mb_cur_max > 1)
      {
-      wint_t *new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
+      wint_t *new_wcs;
+
+      /* Avoid overflow in realloc.  */
+      const size_t max_object_size = MAX (sizeof (wint_t), sizeof (int));
+      if (BE (SIZE_MAX / max_object_size < new_buf_len, 0))
+       return REG_ESPACE;
+
+      new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
        if (BE (new_wcs == NULL, 0))
         return REG_ESPACE;
        pstr->wcs = new_wcs;
author	Ulrich Drepper <drepper@redhat.com>
	Fri, 22 Jan 2010 17:33:01 +0000 (09:33 -0800)
committer	Ulrich Drepper <drepper@redhat.com>
	Fri, 22 Jan 2010 17:33:01 +0000 (09:33 -0800)
ChangeLog		patch \| blob \| history
posix/regex_internal.c		patch \| blob \| history