regexec.c: avoid overflow in computing sum of lengths

2010-01-22 12:22:18 -08:00 · 2010-01-22 12:22:18 -08:00 · 42a2c9b5c3
parent eadc09f22c
commit 42a2c9b5c3
2 changed files with 5 additions and 1 deletions
--- a/4
+++ b/4
@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>

+	[BZ #11191]
+	* posix/regexec.c (re_search_2_stub): Check for overflow
+	when adding the sizes of the two strings.
+
 	[BZ #11190]
 	* posix/regexec.c (re_search_internal): Avoid overflow
 	in computing re_malloc buffer size.
--- a/posix/regexec.c
+++ b/posix/regexec.c
@ -370,7 +370,7 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs,
  int len = length1 + length2;
  char *s = NULL;

-  if (BE (length1 < 0 || length2 < 0 || stop < 0, 0))
+  if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
    return -2;

  /* Concatenate the strings.  */