Check for integer overflow in the allocation of match_cache table

2022-11-09 00:37:46 +09:00 · 2022-11-09 00:37:46 +09:00 · d868f4ca31
--- a/regexec.c
+++ b/regexec.c
@ -3842,6 +3842,10 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
 	size_t len = (end - str) + 1;
 	size_t match_cache_size8 = (size_t)msa->num_cache_opcode * len;
 	/* overflow check */
+	if (match_cache_size8 / len != (size_t)msa->num_cache_opcode) {
+	  return ONIGERR_MEMORY;
+	}
+	/* Currently, int is used for the key of match_cache */
 	if (match_cache_size8 >= INT_MAX_LIMIT) {
 	  return ONIGERR_MEMORY;
 	}