[PATCH] Fix regex from reading uninitialized memory

[PATCH] Fix regex from reading uninitialized memory

[Jakub Jelinek]

Hi!

2004-01-14  Jakub Jelinek  <jakub@redhat.com>

	* posix/regcomp.c (peek_token_bracket): Check remaining
	string length before re_string_peek_byte (x, 1).
	(parse_bracket_symbol): Likewise.
	* posix/regex_internal.h (re_string_is_single_byte_char): Return
	true at last byte in the string.
	* posix/bug-regex22.c (main): Add new test.

--- libc/posix/regcomp.c.jj	2004-01-12 10:52:38.000000000 +0100
+++ libc/posix/regcomp.c	2004-01-14 00:16:17.000000000 +0100
@@ -1881,7 +1881,8 @@ peek_token_bracket (token, input, syntax
     }
 #endif /* RE_ENABLE_I18N */
 
-  if (c == '\\' && (syntax & RE_BACKSLASH_ESCAPE_IN_LISTS))
+  if (c == '\\' && (syntax & RE_BACKSLASH_ESCAPE_IN_LISTS)
+      && re_string_cur_idx (input) + 1 < re_string_length (input))
     {
       /* In this case, '\' escape a character.  */
       unsigned char c2;
@@ -1895,7 +1896,10 @@ peek_token_bracket (token, input, syntax
     {
       unsigned char c2;
       int token_len;
-      c2 = re_string_peek_byte (input, 1);
+      if (re_string_cur_idx (input) + 1 < re_string_length (input))
+	c2 = re_string_peek_byte (input, 1);
+      else
+	c2 = 0;
       token->opr.c = c2;
       token_len = 2;
       switch (c2)
@@ -3268,14 +3272,18 @@ parse_bracket_symbol (elem, regexp, toke
 {
   unsigned char ch, delim = token->opr.c;
   int i = 0;
+  if (re_string_eoi(regexp))
+    return REG_EBRACK;
   for (;; ++i)
     {
-      if (re_string_eoi(regexp) || i >= BRACKET_NAME_BUF_SIZE)
+      if (i >= BRACKET_NAME_BUF_SIZE)
 	return REG_EBRACK;
       if (token->type == OP_OPEN_CHAR_CLASS)
 	ch = re_string_fetch_byte_case (regexp);
       else
 	ch = re_string_fetch_byte (regexp);
+      if (re_string_eoi(regexp))
+	return REG_EBRACK;
       if (ch == delim && re_string_peek_byte (regexp, 0) == ']')
 	break;
       elem->opr.name[i] = ch;
--- libc/posix/regex_internal.h.jj	2004-01-12 10:52:38.000000000 +0100
+++ libc/posix/regex_internal.h	2004-01-14 00:18:48.000000000 +0100
@@ -408,7 +408,7 @@ static unsigned char re_string_fetch_byt
 #define re_string_first_byte(pstr, idx) \
   ((idx) == (pstr)->valid_len || (pstr)->wcs[idx] != WEOF)
 #define re_string_is_single_byte_char(pstr, idx) \
-  ((pstr)->wcs[idx] != WEOF && ((pstr)->valid_len == (idx) \
+  ((pstr)->wcs[idx] != WEOF && ((pstr)->valid_len == (idx) + 1 \
 				|| (pstr)->wcs[(idx) + 1] != WEOF))
 #define re_string_eoi(pstr) ((pstr)->stop <= (pstr)->cur_idx)
 #define re_string_cur_idx(pstr) ((pstr)->cur_idx)
--- libc/posix/bug-regex22.c.jj	2004-01-06 23:00:49.000000000 +0100
+++ libc/posix/bug-regex22.c	2004-01-14 00:19:52.000000000 +0100
@@ -97,6 +97,16 @@ main (void)
 
   memset (&re, 0, sizeof (re));
   re.translate = trans;
+  s = re_compile_pattern ("[[:DIGIT:]]", 11, &re);
+  if (s == NULL)
+    {
+      printf ("compilation of \"[[:DIGIT:]]\" pattern unexpectedly succeeded: %s\n",
+	      s);
+      result = 1;
+    }
+
+  memset (&re, 0, sizeof (re));
+  re.translate = trans;
   s = re_compile_pattern ("[[:DIGIT:]]", 2, &re);
   if (s == NULL)
     {

	Jakub

Re: [PATCH] Fix regex from reading uninitialized memory

[Ulrich Drepper]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jakub Jelinek wrote:

> 	* posix/regcomp.c (peek_token_bracket): Check remaining
> 	string length before re_string_peek_byte (x, 1).
> 	(parse_bracket_symbol): Likewise.
> 	* posix/regex_internal.h (re_string_is_single_byte_char): Return
> 	true at last byte in the string.
> 	* posix/bug-regex22.c (main): Add new test.

Applied.

- -- 
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFABJ5+2ijCOnn/RHQRAtTdAJ4wVN40O5++i+Wlv4zNn5BhGsUeXwCfQ8oq
32Ku/ymoshH6kgIMXRnG8T8=
=/2/U
-----END PGP SIGNATURE-----