* new version 2.20.3

   * SMIME: If a message contains a RFC822 atachment that is
     signed/decrypted add the ability to view its SMIME information.

   * SMIME: The ^E command that gives information on the certificate
     is only available for messages that have a signed or encrypted part.

   * Fix vulnerability in regex library. This only affects those who use
     this library, such as the windows version of Alpine. See
     http://www.kb.cert.org/vuls/id/695940.

   * HTML: Add support for decoding entities in hexadecimal notation.
     Suggested by Tulipánt Gergely.

   * Pico: Add the ability to search for strings in the beginning or end
     of a line. In the search menu, pressing Ctrl-^ toggles the prompt
     to search for a string at the beginning of a line. Another press of
     Ctrl-^ toggles the prompt to search for a string at the end of a line,
     and pressing Ctrl-^ one more time searches for the string anywhere in
     the text.

1 files changed, 7 insertions, 0 deletions

diff --git a/regex/regcomp.c b/regex/regcomp.c
index 0747190a..0d083167 100644
--- a/regex/regcomp.c
+++ b/regex/regcomp.c
@@ -183,6 +183,7 @@ regcomp(regex_t *preg, const char *pattern, int cflags)
 	register struct parse *p = &pa;
 	register int i;
 	register size_t len;
+	register size_t maxlen;
 #ifdef REDEBUG
 #	define	GOODFLAGS(f)	(f)
 #else
@@ -205,7 +206,13 @@ regcomp(regex_t *preg, const char *pattern, int cflags)
 							(NC-1)*sizeof(cat_t));
 	if (g == NULL)
 		return(REG_ESPACE);
+	maxlen = ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3;
+	if (len >= maxlen) {
+		free((char *)g);
+		return(REG_ESPACE);
+	}
 	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
+	assert(p->ssize >= len);
 	p->strip = (sop *)malloc(p->ssize * sizeof(sop));
 	p->slen = 0;
 	if (p->strip == NULL) {