From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 20:22:18 +0000 (-0800)
Subject: regexec.c: avoid overflow in computing sum of lengths
X-Git-Tag: fedora/glibc-2.11.90-11~1^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42a2c9b5c3c92f7e2f556d7bc9dc80e557484574;p=thirdparty%2Fglibc.git

regexec.c: avoid overflow in computing sum of lengths
---

diff --git a/ChangeLog b/ChangeLog
index 31251f16c94..e6167fae894 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>
 
+	[BZ #11191]
+	* posix/regexec.c (re_search_2_stub): Check for overflow
+	when adding the sizes of the two strings.
+
 	[BZ #11190]
 	* posix/regexec.c (re_search_internal): Avoid overflow
 	in computing re_malloc buffer size.
diff --git a/posix/regexec.c b/posix/regexec.c
index 11f3d311285..bad52ac2e04 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -370,7 +370,7 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs,
   int len = length1 + length2;
   char *s = NULL;
 
-  if (BE (length1 < 0 || length2 < 0 || stop < 0, 0))
+  if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
     return -2;
 
   /* Concatenate the strings.  */