From aef699dce14a56ff0f212f533e5ea485d3cec96a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 12:41:12 -0800
Subject: regexec.c: avoid overflow in realloc buffer length computation

---
 posix/regexec.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'posix/regexec.c')

diff --git a/posix/regexec.c b/posix/regexec.c
index 949c170..f877016 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx)
   reg_errcode_t ret;
   re_string_t *pstr = &mctx->input;
 
+  /* Avoid overflow.  */
+  if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+    return REG_ESPACE;
+
   /* Double the lengthes of the buffers.  */
   ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
   if (BE (ret != REG_NOERROR, 0))
-- 
cgit v1.1