diff options
| author | Ulrich Drepper <drepper@redhat.com> | 2010-01-22 09:33:01 -0800 |
|---|---|---|
| committer | Petr Baudis <pasky@ucw.cz> | 2010-05-12 01:33:46 +0200 |
| commit | 5238213a22c9e64eff78e1eda1763c6c4bf52bcd (patch) | |
| tree | 2308d9c68f9f4a9b97b4b93c77c38f6fdb49b820 | |
| parent | b95387484e410a20334919b250f1614be468e41c (diff) | |
| download | glibc-5238213a22c9e64eff78e1eda1763c6c4bf52bcd.zip glibc-5238213a22c9e64eff78e1eda1763c6c4bf52bcd.tar.gz glibc-5238213a22c9e64eff78e1eda1763c6c4bf52bcd.tar.bz2 | |
regex: avoid internal re_realloc overflow
(cherry picked from commit 54dd0ab31fe2b2168ba1a6180a0c05941fb54b3c)
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | posix/regex_internal.c | 9 |
2 files changed, 13 insertions, 1 deletions
@@ -1,3 +1,8 @@ +2010-01-22 Jim Meyering <jim@meyering.net> + + * posix/regex_internal.c (re_string_realloc_buffers): + Detect and handle internal overflow. Patch by Paul Eggert + 2010-01-20 Andreas Schwab <schwab@redhat.com> * sysdeps/unix/sysv/linux/s390/s390-32/____longjmp_chk.c diff --git a/posix/regex_internal.c b/posix/regex_internal.c index c9da2b9..fec3123 100644 --- a/posix/regex_internal.c +++ b/posix/regex_internal.c @@ -133,7 +133,14 @@ re_string_realloc_buffers (re_string_t *pstr, int new_buf_len) #ifdef RE_ENABLE_I18N if (pstr->mb_cur_max > 1) { - wint_t *new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len); + wint_t *new_wcs; + + /* Avoid overflow in realloc. */ + const size_t max_object_size = MAX (sizeof (wint_t), sizeof (int)); + if (BE (SIZE_MAX / max_object_size < new_buf_len, 0)) + return REG_ESPACE; + + new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len); if (BE (new_wcs == NULL, 0)) return REG_ESPACE; pstr->wcs = new_wcs; |