From aef699dce14a56ff0f212f533e5ea485d3cec96a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 Jan 2010 12:41:12 -0800
Subject: [PATCH] regexec.c: avoid overflow in realloc buffer length
 computation

---
 ChangeLog       | 4 ++++
 posix/regexec.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 969326dbfb..91725d52a4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2010-01-22  Jim Meyering  <jim@meyering.net>
 
+	[BZ #11193]
+	* posix/regexec.c (extend_buffers): Avoid overflow in realloc
+	buffer length computation.
+
 	[BZ #11192]
 	* posix/regexec.c (re_copy_regs): Don't leak when allocation
 	of the start buffer succeeds but allocation of the "end" one fails.
diff --git a/posix/regexec.c b/posix/regexec.c
index 949c170ebd..f87701672b 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -4104,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx)
   reg_errcode_t ret;
   re_string_t *pstr = &mctx->input;
 
+  /* Avoid overflow.  */
+  if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+    return REG_ESPACE;
+
   /* Double the lengthes of the buffers.  */
   ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
   if (BE (ret != REG_NOERROR, 0))
-- 
2.11.4.GIT