diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | posix/regexec.c | 5 |
2 files changed, 9 insertions, 0 deletions
@@ -1,5 +1,9 @@ 2010-01-22 Jim Meyering <jim@meyering.net> + [BZ #11189] + * posix/regexec.c (prune_impossible_nodes): Avoid overflow + in computing re_malloc buffer size. + [BZ #11188] * posix/regexec.c (build_trtable): Avoid arithmetic overflow in size calculation. diff --git a/posix/regexec.c b/posix/regexec.c index 3765d00..a3a7a60 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -949,6 +949,11 @@ prune_impossible_nodes (mctx) #endif match_last = mctx->match_last; halt_node = mctx->last_node; + + /* Avoid overflow. */ + if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0)) + return REG_ESPACE; + sifted_states = re_malloc (re_dfastate_t *, match_last + 1); if (BE (sifted_states == NULL, 0)) { |