From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 93201 invoked by alias); 17 Mar 2019 08:44:26 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 93187 invoked by uid 89); 17 Mar 2019 08:44:26 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 spammy=HX-Languages-Length:1423 X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: hall.aurel32.net Received: from hall.aurel32.net (HELO hall.aurel32.net) (163.172.24.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 17 Mar 2019 08:44:25 +0000 Received: from [2a01:e35:2e4c:a861:655e:aef3:f589:b897] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1h5RP4-0005NY-Cf; Sun, 17 Mar 2019 09:44:22 +0100 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.92) (envelope-from ) id 1h5RP3-0004Ep-Cj; Sun, 17 Mar 2019 09:44:21 +0100 From: Aurelien Jarno To: libc-stable@sourceware.org Cc: Paul Eggert Subject: [2.28 COMMITTED] regex: fix read overrun [BZ #24114] Date: Tue, 01 Jan 2019 00:00:00 -0000 Message-Id: <20190317084412.15402-1-aurelien@aurel32.net> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00005.txt.bz2 From: Paul Eggert Problem found by AddressSanitizer, reported by Hongxu Chen in: https://debbugs.gnu.org/34140 * posix/regexec.c (proceed_next_node): Do not read past end of input buffer. (cherry picked from commit 583dd860d5b833037175247230a328f0050dbfe9) --- ChangeLog | 8 ++++++++ posix/regexec.c | 6 ++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e5011123eb7..0ef60fa5ac5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2019-01-31 Paul Eggert + + regex: fix read overrun [BZ #24114] + Problem found by AddressSanitizer, reported by Hongxu Chen in: + https://debbugs.gnu.org/34140 + * posix/regexec.c (proceed_next_node): + Do not read past end of input buffer. + 2018-11-07 Andreas Schwab [BZ #23864] diff --git a/posix/regexec.c b/posix/regexec.c index 73644c23413..06b8487c3e3 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, else if (naccepted) { char *buf = (char *) re_string_get_buffer (&mctx->input); - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, - naccepted) != 0) + if (mctx->input.valid_len - *pidx < naccepted + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, + naccepted) + != 0)) return -1; } } -- 2.20.1