From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 48609 invoked by alias); 16 Mar 2019 22:32:20 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 48598 invoked by uid 89); 16 Mar 2019 22:32:20 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 spammy=H*Ad:D*edu, HContent-Transfer-Encoding:8bit X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: hall.aurel32.net Received: from hall.aurel32.net (HELO hall.aurel32.net) (163.172.24.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 16 Mar 2019 22:32:19 +0000 Received: from [2a01:e35:2e4c:a861:655e:aef3:f589:b897] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1h5Hqi-0000pm-Nw; Sat, 16 Mar 2019 23:32:16 +0100 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.92) (envelope-from ) id 1h5Hqi-0007cR-BM; Sat, 16 Mar 2019 23:32:16 +0100 From: Aurelien Jarno To: libc-stable@sourceware.org Cc: Paul Eggert Subject: [2.29 COMMITTED] regex: fix read overrun [BZ #24114] Date: Tue, 01 Jan 2019 00:00:00 -0000 Message-Id: <20190316223151.29219-1-aurelien@aurel32.net> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00002.txt.bz2 From: Paul Eggert Problem found by AddressSanitizer, reported by Hongxu Chen in: https://debbugs.gnu.org/34140 * posix/regexec.c (proceed_next_node): Do not read past end of input buffer. (cherry picked from commit 583dd860d5b833037175247230a328f0050dbfe9) --- ChangeLog | 8 ++++++++ posix/regexec.c | 6 ++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 90558e434ce..fb88626efe1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2019-01-31 Paul Eggert + + regex: fix read overrun [BZ #24114] + Problem found by AddressSanitizer, reported by Hongxu Chen in: + https://debbugs.gnu.org/34140 + * posix/regexec.c (proceed_next_node): + Do not read past end of input buffer. + 2019-03-13 Stefan Liebler * elf/dl-sysdep.c (_dl_show_auxv): Remove condition and always diff --git a/posix/regexec.c b/posix/regexec.c index 91d5a797b82..084b1222d95 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, else if (naccepted) { char *buf = (char *) re_string_get_buffer (&mctx->input); - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, - naccepted) != 0) + if (mctx->input.valid_len - *pidx < naccepted + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, + naccepted) + != 0)) return -1; } } -- 2.20.1