From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.10]) by sourceware.org (Postfix) with ESMTPS id 4303B3858D39 for ; Tue, 19 Oct 2021 15:09:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 4303B3858D39 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=linux-m68k.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=nefkom.net Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4HYcbK5cpbz1sC0K; Tue, 19 Oct 2021 17:09:16 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 4HYcbJ6JNhz1qqkB; Tue, 19 Oct 2021 17:09:16 +0200 (CEST) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id AXc1PywWEys8; Tue, 19 Oct 2021 17:09:16 +0200 (CEST) X-Auth-Info: s7f/tyhij30x4s8PV0L40uBUazwAQF9T+4paB4wc47LId0fvSyEx5TCCYpMMPB8b Received: from igel.home (ppp-46-244-188-222.dynamic.mnet-online.de [46.244.188.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Tue, 19 Oct 2021 17:09:16 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id B55CF2C218A; Tue, 19 Oct 2021 17:09:15 +0200 (CEST) From: Andreas Schwab To: Paul Eggert Cc: libc-alpha@sourceware.org Subject: Re: [PATCH] regex: fix buffer read overrun in search [BZ#28470] References: <20211018221548.76024-1-eggert@cs.ucla.edu> <8735oxsct4.fsf@igel.home> <87tuhdqv48.fsf@igel.home> X-Yow: Wait.. is this a FUN THING or the END of LIFE in Petticoat Junction?? Date: Tue, 19 Oct 2021 17:09:15 +0200 In-Reply-To: (Paul Eggert's message of "Tue, 19 Oct 2021 01:57:26 -0700") Message-ID: <87k0i9oxus.fsf@igel.home> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-9.0 required=5.0 tests=BAYES_00, GIT_PATCH_0, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2021 15:09:20 -0000 On Okt 19 2021, Paul Eggert wrote: > diff --git a/posix/regexec.c b/posix/regexec.c > index 83e9aaf8ca..6aeba3c0b4 100644 > --- a/posix/regexec.c > +++ b/posix/regexec.c > @@ -758,10 +758,9 @@ re_search_internal (const regex_t *preg, const char *string, Idx length, > > offset = match_first - mctx.input.raw_mbs_idx; > } > - /* If MATCH_FIRST is out of the buffer, leave it as '\0'. > - Note that MATCH_FIRST must not be smaller than 0. */ > - ch = (match_first >= length > - ? 0 : re_string_byte_at (&mctx.input, offset)); > + /* Use buffer byte if OFFSET is in buffer, otherwise '\0'. */ > + ch = (offset < mctx.input.valid_len > + ? re_string_byte_at (&mctx.input, offset) : 0); Why is the bug not in re_string_reconstruct? Since string[match_first] exists, so should re_string_byte_at (&mctx.input, offset). Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."