* [2.28 COMMITTED] Record CVE-2019-9169 in NEWS and ChangeLog [BZ #24114]
2019-01-01 0:00 [2.28 COMMITTED] regex: fix read overrun [BZ #24114] Aurelien Jarno
@ 2019-01-01 0:00 ` Aurelien Jarno
0 siblings, 0 replies; 2+ messages in thread
From: Aurelien Jarno @ 2019-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Aurelien Jarno
(cherry picked from commit b626c5aa5d0673a9caa48fb79fba8bda237e6fa8)
---
ChangeLog | 1 +
NEWS | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 0ef60fa5ac5..5667d9262bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
2019-01-31 Paul Eggert <eggert@cs.ucla.edu>
+ CVE-2019-9169
regex: fix read overrun [BZ #24114]
Problem found by AddressSanitizer, reported by Hongxu Chen in:
https://debbugs.gnu.org/34140
diff --git a/NEWS b/NEWS
index 11d9af739c3..f4981a16f08 100644
--- a/NEWS
+++ b/NEWS
@@ -76,6 +76,10 @@ Security related changes:
CVE-2016-10739: The getaddrinfo function could successfully parse IPv4
addresses with arbitrary trailing characters, potentially leading to data
or command injection issues in applications.
+
+ CVE-2019-9169: Attempted case-insensitive regular-expression match
+ via proceed_next_node in posix/regexec.c leads to heap-based buffer
+ over-read. Reported by Hongxu Chen.
\f
Version 2.28
--
2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [2.28 COMMITTED] regex: fix read overrun [BZ #24114]
@ 2019-01-01 0:00 Aurelien Jarno
2019-01-01 0:00 ` [2.28 COMMITTED] Record CVE-2019-9169 in NEWS and ChangeLog " Aurelien Jarno
0 siblings, 1 reply; 2+ messages in thread
From: Aurelien Jarno @ 2019-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Paul Eggert
From: Paul Eggert <eggert@cs.ucla.edu>
Problem found by AddressSanitizer, reported by Hongxu Chen in:
https://debbugs.gnu.org/34140
* posix/regexec.c (proceed_next_node):
Do not read past end of input buffer.
(cherry picked from commit 583dd860d5b833037175247230a328f0050dbfe9)
---
ChangeLog | 8 ++++++++
posix/regexec.c | 6 ++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index e5011123eb7..0ef60fa5ac5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2019-01-31 Paul Eggert <eggert@cs.ucla.edu>
+
+ regex: fix read overrun [BZ #24114]
+ Problem found by AddressSanitizer, reported by Hongxu Chen in:
+ https://debbugs.gnu.org/34140
+ * posix/regexec.c (proceed_next_node):
+ Do not read past end of input buffer.
+
2018-11-07 Andreas Schwab <schwab@suse.de>
[BZ #23864]
diff --git a/posix/regexec.c b/posix/regexec.c
index 73644c23413..06b8487c3e3 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
else if (naccepted)
{
char *buf = (char *) re_string_get_buffer (&mctx->input);
- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
- naccepted) != 0)
+ if (mctx->input.valid_len - *pidx < naccepted
+ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+ naccepted)
+ != 0))
return -1;
}
}
--
2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-03-17 8:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-01 0:00 [2.28 COMMITTED] regex: fix read overrun [BZ #24114] Aurelien Jarno
2019-01-01 0:00 ` [2.28 COMMITTED] Record CVE-2019-9169 in NEWS and ChangeLog " Aurelien Jarno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).