* [PATCH] Fix accesses to uninitialized memory in get_subexp
@ 2004-01-19 14:21 Jakub Jelinek
2004-01-19 20:17 ` Ulrich Drepper
0 siblings, 1 reply; 2+ messages in thread
From: Jakub Jelinek @ 2004-01-19 14:21 UTC (permalink / raw)
To: Ulrich Drepper; +Cc: Glibc hackers
Hi!
get_subexp would happily compare bytes beyond end of buffer (or beyond
end of valid chars).
2004-01-19 Jakub Jelinek <jakub@redhat.com>
* posix/regexec.c (get_subexp): Remove bkref_str variable.
Extend buffers if needed before comparisons.
(get_subexp_sub): Handle clean_state_log_if_needed failure.
--- libc/posix/regexec.c.jj 2004-01-03 13:42:56.000000000 +0100
+++ libc/posix/regexec.c 2004-01-19 15:00:53.000000000 +0100
@@ -2551,7 +2551,6 @@ get_subexp (mctx, bkref_node, bkref_str_
re_sub_match_top_t *sub_top = mctx->sub_tops[sub_top_idx];
re_sub_match_last_t *sub_last;
int sub_last_idx, sl_str, bkref_str_off;
- const char *bkref_str;
if (dfa->nodes[sub_top->node].opr.idx != subexp_num)
continue; /* It isn't related. */
@@ -2567,9 +2566,24 @@ get_subexp (mctx, bkref_node, bkref_str_
sl_str_diff = sub_last->str_idx - sl_str;
/* The matched string by the sub expression match with the substring
at the back reference? */
- if (sl_str_diff > 0
- && memcmp (buf + bkref_str_off, buf + sl_str, sl_str_diff) != 0)
- break; /* We don't need to search this sub expression any more. */
+ if (sl_str_diff > 0)
+ {
+ if (BE (bkref_str_off + sl_str_diff > mctx->input.valid_len, 0))
+ {
+ /* Not enough chars for a successful match. */
+ if (bkref_str_off + sl_str_diff > mctx->input.len)
+ break;
+
+ err = clean_state_log_if_needed (mctx,
+ bkref_str_off
+ + sl_str_diff);
+ if (BE (err != REG_NOERROR, 0))
+ return err;
+ buf = (const char *) re_string_get_buffer (&mctx->input);
+ }
+ if (memcmp (buf + bkref_str_off, buf + sl_str, sl_str_diff) != 0)
+ break; /* We don't need to search this sub expression any more. */
+ }
bkref_str_off += sl_str_diff;
sl_str += sl_str_diff;
err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
@@ -2584,7 +2598,6 @@ get_subexp (mctx, bkref_node, bkref_str_
if (BE (err != REG_NOERROR, 0))
return err;
}
- bkref_str = buf + bkref_str_off;
if (sub_last_idx < sub_top->nlasts)
continue;
@@ -2598,8 +2611,24 @@ get_subexp (mctx, bkref_node, bkref_str_
sl_str_off = sl_str - sub_top->str_idx;
/* The matched string by the sub expression match with the substring
at the back reference? */
- if (sl_str_off > 0 && *bkref_str++ != buf[sl_str - 1])
- break; /* We don't need to search this sub expression any more. */
+ if (sl_str_off > 0)
+ {
+ if (BE (bkref_str_off >= mctx->input.valid_len, 0))
+ {
+ /* If we are at the end of the input, we cannot match. */
+ if (bkref_str_off >= mctx->input.len)
+ break;
+
+ err = extend_buffers (mctx);
+ if (BE (err != REG_NOERROR, 0))
+ return err;
+
+ buf = (const char *) re_string_get_buffer (&mctx->input);
+ }
+ if (buf [bkref_str_off++] != buf[sl_str - 1])
+ break; /* We don't need to search this sub expression
+ any more. */
+ }
if (mctx->state_log[sl_str] == NULL)
continue;
/* Does this state have a ')' of the sub expression? */
@@ -2659,8 +2688,7 @@ get_subexp_sub (mctx, sub_top, sub_last,
if (BE (err != REG_NOERROR, 0))
return err;
to_idx = bkref_str + sub_last->str_idx - sub_top->str_idx;
- clean_state_log_if_needed (mctx, to_idx);
- return REG_NOERROR;
+ return clean_state_log_if_needed (mctx, to_idx);
}
/* Find the first node which is '(' or ')' and whose index is SUBEXP_IDX.
Jakub
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] Fix accesses to uninitialized memory in get_subexp
2004-01-19 14:21 [PATCH] Fix accesses to uninitialized memory in get_subexp Jakub Jelinek
@ 2004-01-19 20:17 ` Ulrich Drepper
0 siblings, 0 replies; 2+ messages in thread
From: Ulrich Drepper @ 2004-01-19 20:17 UTC (permalink / raw)
To: Jakub Jelinek; +Cc: Glibc hackers
Jakub Jelinek wrote:
> * posix/regexec.c (get_subexp): Remove bkref_str variable.
> Extend buffers if needed before comparisons.
> (get_subexp_sub): Handle clean_state_log_if_needed failure.
Applied, thanks.
--
⧠Ulrich Drepper ⧠Red Hat, Inc. ⧠444 Castro St ⧠Mountain View, CA â
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-01-19 20:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-01-19 14:21 [PATCH] Fix accesses to uninitialized memory in get_subexp Jakub Jelinek
2004-01-19 20:17 ` Ulrich Drepper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).