From d868f4ca31339095991e162e010fcda0f2d7bd39 Mon Sep 17 00:00:00 2001 From: Yusuke Endoh Date: Wed, 9 Nov 2022 00:37:46 +0900 Subject: [PATCH] Check for integer overflow in the allocation of match_cache table --- regexec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/regexec.c b/regexec.c index e8fffccd8b..febcb03f64 100644 --- a/regexec.c +++ b/regexec.c @@ -3842,6 +3842,10 @@ match_at(regex_t* reg, const UChar* str, const UChar* end, size_t len = (end - str) + 1; size_t match_cache_size8 = (size_t)msa->num_cache_opcode * len; /* overflow check */ + if (match_cache_size8 / len != (size_t)msa->num_cache_opcode) { + return ONIGERR_MEMORY; + } + /* Currently, int is used for the key of match_cache */ if (match_cache_size8 >= INT_MAX_LIMIT) { return ONIGERR_MEMORY; }