+2010-01-22 Jim Meyering <jim@meyering.net>
+
+ * posix/regex_internal.c (re_string_realloc_buffers):
+ Detect and handle internal overflow. Patch by Paul Eggert
+
2010-01-20 Andreas Schwab <schwab@redhat.com>
* sysdeps/unix/sysv/linux/s390/s390-32/____longjmp_chk.c
#ifdef RE_ENABLE_I18N
if (pstr->mb_cur_max > 1)
{
- wint_t *new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
+ wint_t *new_wcs;
+
+ /* Avoid overflow in realloc. */
+ const size_t max_object_size = MAX (sizeof (wint_t), sizeof (int));
+ if (BE (SIZE_MAX / max_object_size < new_buf_len, 0))
+ return REG_ESPACE;
+
+ new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
if (BE (new_wcs == NULL, 0))
return REG_ESPACE;
pstr->wcs = new_wcs;