2 files changed, 18 insertions, 1 deletions

diff --git a/src/memory.c b/src/memory.c
index 9846753..2d93b12 100644
--- a/src/memory.c
+++ b/src/memory.c
@@ -678,7 +678,15 @@ teco_memory_check(gsize request, GError **error)
 {
 	gsize memory_usage = g_atomic_int_get(&teco_memory_usage) + request;
 
-	if (G_UNLIKELY(teco_memory_limit && memory_usage > teco_memory_limit)) {
+	/*
+	 * Check for overflows.
+	 * NOTE: Glib 2.48 has g_size_checked_add().
+	 */
+	if (G_UNLIKELY(memory_usage < request))
+		/* guaranteed to fail if memory limiting is enabled */
+		memory_usage = G_MAXSIZE;
+
+	if (G_UNLIKELY(teco_memory_limit && memory_usage >= teco_memory_limit)) {
 		g_autofree gchar *limit_str = g_format_size(memory_usage);
 
 		g_set_error(error, TECO_ERROR, TECO_ERROR_MEMLIMIT,
diff --git a/src/search.c b/src/search.c
index 4c324a6..3ccecde 100644
--- a/src/search.c
+++ b/src/search.c
@@ -496,6 +496,15 @@ teco_do_search(GRegex *re, gint from, gint to, gint *count, GError **error)
 		gsize matched_size = sizeof(teco_range_t) * -*count;
 
 		/*
+		 * matched_size could overflow.
+		 * NOTE: Glib 2.48 has g_size_checked_mul() which uses
+		 * compiler intrinsics.
+		 */
+		if (matched_size / sizeof(teco_range_t) != -*count)
+			/* guaranteed to fail either teco_memory_check() or g_malloc() */
+			matched_size = G_MAXSIZE;
+
+		/*
 		 * NOTE: It's theoretically possible that the allocation of the `matched`
 		 * array causes an OOM if (-count) is large enough and regular
 		 * memory limiting in teco_machine_main_step() wouldn't help.