2010-01-22 Jim Meyering <jim@meyering.net>
+ [BZ #11190]
+ * posix/regexec.c (re_search_internal): Avoid overflow
+ in computing re_malloc buffer size.
+
[BZ #11189]
* posix/regexec.c (prune_impossible_nodes): Avoid overflow
in computing re_malloc buffer size.
multi character collating element. */
if (nmatch > 1 || dfa->has_mb_node)
{
+ /* Avoid overflow. */
+ if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+ {
+ err = REG_ESPACE;
+ goto free_return;
+ }
+
mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
if (BE (mctx.state_log == NULL, 0))
{