re_search_internal: Avoid overflow in computing re_malloc buffer size

2010-01-22 12:15:53 -08:00 · 2010-01-22 12:15:53 -08:00 · eadc09f22c
parent 4cd028677b
commit eadc09f22c
2 changed files with 11 additions and 0 deletions
--- a/4
+++ b/4
@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>

+	[BZ #11190]
+	* posix/regexec.c (re_search_internal): Avoid overflow
+	in computing re_malloc buffer size.
+
 	[BZ #11189]
 	* posix/regexec.c (prune_impossible_nodes): Avoid overflow
 	in computing re_malloc buffer size.
--- a/posix/regexec.c
+++ b/posix/regexec.c
@ -691,6 +691,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch,
     multi character collating element.  */
  if (nmatch > 1 || dfa->has_mb_node)
    {
+      /* Avoid overflow.  */
+      if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+	{
+	  err = REG_ESPACE;
+	  goto free_return;
+	}
+
      mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
      if (BE (mctx.state_log == NULL, 0))
 	{