From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 20:15:53 +0000 (-0800)
Subject: re_search_internal: Avoid overflow in computing re_malloc buffer size
X-Git-Tag: glibc-2.12~223
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=eadc09f22cd81dd0153fba0fd8514261ea9b4196;p=platform%2Fupstream%2Fglibc.git

re_search_internal: Avoid overflow in computing re_malloc buffer size
---

diff --git a/ChangeLog b/ChangeLog
index 1975f6d..31251f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>
 
+	[BZ #11190]
+	* posix/regexec.c (re_search_internal): Avoid overflow
+	in computing re_malloc buffer size.
+
 	[BZ #11189]
 	* posix/regexec.c (prune_impossible_nodes): Avoid overflow
 	in computing re_malloc buffer size.
diff --git a/posix/regexec.c b/posix/regexec.c
index a3a7a60..11f3d31 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch,
      multi character collating element.  */
   if (nmatch > 1 || dfa->has_mb_node)
     {
+      /* Avoid overflow.  */
+      if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+	{
+	  err = REG_ESPACE;
+	  goto free_return;
+	}
+
       mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
       if (BE (mctx.state_log == NULL, 0))
 	{