regexec.c: avoid overflow in realloc buffer length computation

diff --git a/ChangeLog b/ChangeLog
index 969326d..91725d5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>
 
+       [BZ #11193]
+       * posix/regexec.c (extend_buffers): Avoid overflow in realloc
+       buffer length computation.
+
        [BZ #11192]
        * posix/regexec.c (re_copy_regs): Don't leak when allocation
        of the start buffer succeeds but allocation of the "end" one fails.

diff --git a/posix/regexec.c b/posix/regexec.c
index 949c170..f877016 100644 (file)
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx)
   reg_errcode_t ret;
   re_string_t *pstr = &mctx->input;
 
+  /* Avoid overflow.  */
+  if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+    return REG_ESPACE;
+
   /* Double the lengthes of the buffers.  */
   ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
   if (BE (ret != REG_NOERROR, 0))