The regex code currently misbehaves badly if there's an arithmetic overflow when calculating sizes, e.g., when doubling buffer sizes. I'll attach a patch for all the instances of this that I found. These patches are conservative, in the sense that when I couldn't determine whether an overflow was possible, I inserted a run-time check.
Created attachment 645 [details] add some size-overflow checks to regex code
Just to preempt Ulrich, with whom I agree in this case, the patch as is does not apply. Please redo the patch without the Idx type, as it could be a good thing to have.
Paul, could you recreate the patch so that it applies cleanly against the current git head?
Paul, could you redo the patch for current glibc, please?