From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-6448-listarch-libc-hacker=sources.redhat.com@sources.redhat.com>
Received: (qmail 24138 invoked by alias); 7 Apr 2003 21:13:12 -0000
Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sources.redhat.com>
List-Help: <mailto:libc-hacker-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: libc-hacker-owner@sources.redhat.com
Received: (qmail 24122 invoked from network); 7 Apr 2003 21:13:11 -0000
Received: from unknown (HELO localhost.localdomain) (195.113.19.66)
  by sources.redhat.com with SMTP; 7 Apr 2003 21:13:11 -0000
Received: from sunsite.mff.cuni.cz (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.12.8/8.12.8) with ESMTP id h37LD8qO001541;
	Mon, 7 Apr 2003 23:13:08 +0200
Received: (from jakub@localhost)
	by sunsite.mff.cuni.cz (8.12.8/8.12.8/Submit) id h37LD8O2001539;
	Mon, 7 Apr 2003 23:13:08 +0200
Date: Mon, 07 Apr 2003 21:13:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>, Roland McGrath <roland@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fix bug-regex4
Message-ID: <20030407211308.GX16629@sunsite.ms.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-SW-Source: 2003-04/txt/msg00026.txt.bz2

Hi!

If range and/or stop arguments to re_search_2 are too large, re_search_2
might search beyond end of buffer.

2003-04-07  Jakub Jelinek  <jakub@redhat.com>

	* posix/bug-regex4.c (main): Cap range and stop arguments to
	sum of size1 and size2 arguments.

--- libc/posix/bug-regex4.c.jj	2002-07-29 09:14:54.000000000 -0400
+++ libc/posix/bug-regex4.c	2003-04-07 17:04:31.000000000 -0400
@@ -43,9 +43,9 @@ main (void)
     }
   else
     {
-      match[0] = re_search_2 (&regex, "xyabez", 6, "", 0, 1, 9, NULL, 10);
+      match[0] = re_search_2 (&regex, "xyabez", 6, "", 0, 1, 5, NULL, 6);
       match[1] = re_search_2 (&regex, NULL, 0, "abc", 3, 0, 3, NULL, 3);
-      match[2] = re_search_2 (&regex, "xya", 3, "bd", 2, 2, 6, NULL, 8);
+      match[2] = re_search_2 (&regex, "xya", 3, "bd", 2, 2, 3, NULL, 5);
       if (match[0] != 2 || match[1] != 0 || match[2] != 2)
 	{
 	  printf ("re_search_2 returned %d,%d,%d, expected 2,0,2\n",

	Jakub