re_search_internal: Avoid overflow in computing re_malloc buffer size

author Paul Eggert <eggert@cs.ucla.edu>

Fri, 22 Jan 2010 20:15:53 +0000 (12:15 -0800)

committer Ulrich Drepper <drepper@redhat.com>

Fri, 22 Jan 2010 20:15:53 +0000 (12:15 -0800)
author Paul Eggert <eggert@cs.ucla.edu>
Fri, 22 Jan 2010 20:15:53 +0000 (12:15 -0800)
committer Ulrich Drepper <drepper@redhat.com>
Fri, 22 Jan 2010 20:15:53 +0000 (12:15 -0800)
diff --git a/ChangeLog b/ChangeLog

index 1975f6d..31251f1 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
  2010-01-22  Jim Meyering  <jim@meyering.net>
  
+       [BZ #11190]
+       * posix/regexec.c (re_search_internal): Avoid overflow
+       in computing re_malloc buffer size.
+
         [BZ #11189]
         * posix/regexec.c (prune_impossible_nodes): Avoid overflow
         in computing re_malloc buffer size.
diff --git a/posix/regexec.c b/posix/regexec.c

index a3a7a60..11f3d31 100644 (file)
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch,
       multi character collating element.  */
    if (nmatch > 1 || dfa->has_mb_node)
      {
+      /* Avoid overflow.  */
+      if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+       {
+         err = REG_ESPACE;
+         goto free_return;
+       }
+
        mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
        if (BE (mctx.state_log == NULL, 0))
         {
author	Paul Eggert <eggert@cs.ucla.edu>
	Fri, 22 Jan 2010 20:15:53 +0000 (12:15 -0800)
committer	Ulrich Drepper <drepper@redhat.com>
	Fri, 22 Jan 2010 20:15:53 +0000 (12:15 -0800)
ChangeLog		patch \| blob \| history
posix/regexec.c		patch \| blob \| history