From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fw@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2178)
	id 394CD3858004; Fri, 11 Nov 2022 16:29:05 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 394CD3858004
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1668184145;
	bh=6lySwaPICTqQnS2kVwb7yobFASictLmQgOjXZMVfjbU=;
	h=From:To:Subject:Date:From;
	b=aawQJYSnncSUWQyMK1J2u89g6b08rJtIBTaVb00r5R33U2K7qli/M1DGYCSsvzN/i
	 k6Mp4GjP+HPpztaUI10Xy1JGd9GVWWreH+mx+vr9KZnsmI3Z+SndKe/DdX7TxBn1yM
	 eb2NOcLZp6JtuodKxYNy5koJCrolHELhCvampEDk=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Florian Weimer <fw@sourceware.org>
To: glibc-cvs@sourceware.org
Subject: [glibc/release/2.34/master] regex: fix buffer read overrun in search
 [BZ#28470]
X-Act-Checkin: glibc
X-Git-Author: Paul Eggert <eggert@cs.ucla.edu>
X-Git-Refname: refs/heads/release/2.34/master
X-Git-Oldrev: 86a701a20479dfbc23540b3143fd5b28660a2447
X-Git-Newrev: fa5044f1e38f4f6515253449b6ca77fd14f53b8e
Message-Id: <20221111162905.394CD3858004@sourceware.org>
Date: Fri, 11 Nov 2022 16:29:05 +0000 (GMT)
List-Id: <glibc-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fa5044f1e38f4f6515253449b6ca77fd14f53b8e

commit fa5044f1e38f4f6515253449b6ca77fd14f53b8e
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Wed Nov 24 14:16:09 2021 -0800

    regex: fix buffer read overrun in search [BZ#28470]
    
    Problem reported by Benno Schulenberg in:
    https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html
    * posix/regexec.c (re_search_internal): Use better bounds check.
    
    (cherry picked from commit c52ef24829f95a819965214eeae28e3289a91a61)

Diff:
---
 NEWS            | 1 +
 posix/regexec.c | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 8329b2454c..ca93010a94 100644
--- a/NEWS
+++ b/NEWS
@@ -77,6 +77,7 @@ The following bugs are resolved with this release:
   [28357] deadlock between pthread_create and ELF constructors
   [28361] nptl: Avoid setxid deadlock with blocked signals in thread exit
   [28407] pthread_kill assumes that kill and tgkill are equivalent
+  [28470] Buffer read overrun in regular expression searching
   [28524] Conversion from ISO-2022-JP-3 with iconv may emit spurious NULs
   [28532] powerpc64[le]: CFI for assembly templated syscalls is incorrect
   [28607] Masked signals are delivered on thread exit
diff --git a/posix/regexec.c b/posix/regexec.c
index 83e9aaf8ca..6aeba3c0b4 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -758,10 +758,9 @@ re_search_internal (const regex_t *preg, const char *string, Idx length,
 
 		  offset = match_first - mctx.input.raw_mbs_idx;
 		}
-	      /* If MATCH_FIRST is out of the buffer, leave it as '\0'.
-		 Note that MATCH_FIRST must not be smaller than 0.  */
-	      ch = (match_first >= length
-		    ? 0 : re_string_byte_at (&mctx.input, offset));
+	      /* Use buffer byte if OFFSET is in buffer, otherwise '\0'.  */
+	      ch = (offset < mctx.input.valid_len
+		    ? re_string_byte_at (&mctx.input, offset) : 0);
 	      if (fastmap[ch])
 		break;
 	      match_first += incr;