regexec.c: avoid overflow in computing sum of lengths

author Paul Eggert <eggert@cs.ucla.edu>

Fri, 22 Jan 2010 20:22:18 +0000 (12:22 -0800)

committer Ulrich Drepper <drepper@redhat.com>

Fri, 22 Jan 2010 20:22:18 +0000 (12:22 -0800)
author Paul Eggert <eggert@cs.ucla.edu>
Fri, 22 Jan 2010 20:22:18 +0000 (12:22 -0800)
committer Ulrich Drepper <drepper@redhat.com>
Fri, 22 Jan 2010 20:22:18 +0000 (12:22 -0800)
diff --git a/ChangeLog b/ChangeLog

index 31251f16c940525a4edc88cb1b5fef7e6046d9f3..e6167fae8946433142844a6b14d6188d69e6fd1a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
  2010-01-22  Jim Meyering  <jim@meyering.net>
  
+       [BZ #11191]
+       * posix/regexec.c (re_search_2_stub): Check for overflow
+       when adding the sizes of the two strings.
+
         [BZ #11190]
         * posix/regexec.c (re_search_internal): Avoid overflow
         in computing re_malloc buffer size.
diff --git a/posix/regexec.c b/posix/regexec.c

index 11f3d311285bf6d792292f51f68a73eeacf267d7..bad52ac2e0461d536b378a643b049c2d29de8ea3 100644 (file)
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -370,7 +370,7 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs,
    int len = length1 + length2;
    char *s = NULL;
  
-  if (BE (length1 < 0 || length2 < 0 || stop < 0, 0))
+  if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
      return -2;
  
    /* Concatenate the strings.  */
author	Paul Eggert <eggert@cs.ucla.edu>
	Fri, 22 Jan 2010 20:22:18 +0000 (12:22 -0800)
committer	Ulrich Drepper <drepper@redhat.com>
	Fri, 22 Jan 2010 20:22:18 +0000 (12:22 -0800)
ChangeLog		patch \| blob \| blame \| history
posix/regexec.c		patch \| blob \| blame \| history