regexec.c: avoid overflow in realloc buffer length computation

author Paul Eggert <eggert@cs.ucla.edu>

Fri, 22 Jan 2010 20:41:12 +0000 (12:41 -0800)

committer Ulrich Drepper <drepper@redhat.com>

Fri, 22 Jan 2010 20:41:12 +0000 (12:41 -0800)
author Paul Eggert <eggert@cs.ucla.edu>
Fri, 22 Jan 2010 20:41:12 +0000 (12:41 -0800)
committer Ulrich Drepper <drepper@redhat.com>
Fri, 22 Jan 2010 20:41:12 +0000 (12:41 -0800)
diff --git a/ChangeLog b/ChangeLog

index 969326d..91725d5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
  2010-01-22  Jim Meyering  <jim@meyering.net>
  
+       [BZ #11193]
+       * posix/regexec.c (extend_buffers): Avoid overflow in realloc
+       buffer length computation.
+
         [BZ #11192]
         * posix/regexec.c (re_copy_regs): Don't leak when allocation
         of the start buffer succeeds but allocation of the "end" one fails.
diff --git a/posix/regexec.c b/posix/regexec.c

index 949c170..f877016 100644 (file)
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx)
    reg_errcode_t ret;
    re_string_t *pstr = &mctx->input;
  
+  /* Avoid overflow.  */
+  if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+    return REG_ESPACE;
+
    /* Double the lengthes of the buffers.  */
    ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
    if (BE (ret != REG_NOERROR, 0))
author	Paul Eggert <eggert@cs.ucla.edu>
	Fri, 22 Jan 2010 20:41:12 +0000 (12:41 -0800)
committer	Ulrich Drepper <drepper@redhat.com>
	Fri, 22 Jan 2010 20:41:12 +0000 (12:41 -0800)
ChangeLog		patch \| blob \| history
posix/regexec.c		patch \| blob \| history