From e786dc0ae295ff293d5ed437b4c2790f18109cf5 Mon Sep 17 00:00:00 2001
From: doug <doug@openbsd.org>
Date: Sat, 11 Oct 2014 04:23:12 +0000
Subject: Userland reallocarray() audit.

Avoid potential integer overflow in the size argument of malloc() and
realloc() by using reallocarray() to avoid unchecked multiplication.

ok deraadt@
---
 lib/libc/regex/regexec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'lib/libc/regex')

diff --git a/lib/libc/regex/regexec.c b/lib/libc/regex/regexec.c
index 5e986f34c3c..ed6a4b8d62b 100644
--- a/lib/libc/regex/regexec.c
+++ b/lib/libc/regex/regexec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: regexec.c,v 1.12 2013/04/17 17:39:29 tedu Exp $ */
+/*	$OpenBSD: regexec.c,v 1.13 2014/10/11 04:23:12 doug Exp $ */
 /*-
  * Copyright (c) 1992, 1993, 1994 Henry Spencer.
  * Copyright (c) 1992, 1993, 1994
@@ -109,7 +109,8 @@
 #define	ASSIGN(d, s)	memcpy(d, s, m->g->nstates)
 #define	EQ(a, b)	(memcmp(a, b, m->g->nstates) == 0)
 #define	STATEVARS	long vn; char *space
-#define	STATESETUP(m, nv)	{ (m)->space = malloc((nv)*(m)->g->nstates); \
+#define	STATESETUP(m, nv)	{ (m)->space = reallocarray(NULL, 	    \
+    				(m)->g->nstates, (nv));			    \
 				if ((m)->space == NULL) return(REG_ESPACE); \
 				(m)->vn = 0; }
 #define	STATETEARDOWN(m)	{ free((m)->space); }
-- 
cgit v1.2.3-59-g8ed1b