Check for integer overflow in the allocation of match_cache table

author: Yusuke Endoh <mame@ruby-lang.org> 2022-11-09 00:37:46 +0900
committer: Yusuke Endoh <mame@ruby-lang.org> 2022-11-09 23:21:26 +0900
commit: d868f4ca31339095991e162e010fcda0f2d7bd39 (patch)
tree: a09332bd78d80f80e315b3fcf940add64cf1434a /regexec.c
parent: 14845ab4ffccc317a08629f4503c87ee97621c0b (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/regexec.c b/regexec.c
index e8fffccd8b..febcb03f64 100644
--- a/regexec.c
+++ b/regexec.c
@@ -3842,6 +3842,10 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
 	size_t len = (end - str) + 1;
 	size_t match_cache_size8 = (size_t)msa->num_cache_opcode * len;
 	/* overflow check */
+	if (match_cache_size8 / len != (size_t)msa->num_cache_opcode) {
+	  return ONIGERR_MEMORY;
+	}
+	/* Currently, int is used for the key of match_cache */
 	if (match_cache_size8 >= INT_MAX_LIMIT) {
 	  return ONIGERR_MEMORY;
 	}
author	Yusuke Endoh <mame@ruby-lang.org>	2022-11-09 00:37:46 +0900
committer	Yusuke Endoh <mame@ruby-lang.org>	2022-11-09 23:21:26 +0900
commit	d868f4ca31339095991e162e010fcda0f2d7bd39 (patch)
tree	a09332bd78d80f80e315b3fcf940add64cf1434a /regexec.c
parent	14845ab4ffccc317a08629f4503c87ee97621c0b (diff)