From d868f4ca31339095991e162e010fcda0f2d7bd39 Mon Sep 17 00:00:00 2001
From: Yusuke Endoh <mame@ruby-lang.org>
Date: Wed, 9 Nov 2022 00:37:46 +0900
Subject: Check for integer overflow in the allocation of match_cache table

---
 regexec.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'regexec.c')

diff --git a/regexec.c b/regexec.c
index e8fffccd8b..febcb03f64 100644
--- a/regexec.c
+++ b/regexec.c
@@ -3842,6 +3842,10 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
 	size_t len = (end - str) + 1;
 	size_t match_cache_size8 = (size_t)msa->num_cache_opcode * len;
 	/* overflow check */
+	if (match_cache_size8 / len != (size_t)msa->num_cache_opcode) {
+	  return ONIGERR_MEMORY;
+	}
+	/* Currently, int is used for the key of match_cache */
 	if (match_cache_size8 >= INT_MAX_LIMIT) {
 	  return ONIGERR_MEMORY;
 	}
-- 
cgit v1.2.1