| From 7839f70dc125c067ac53e8d89c2028d2b816c9e7 Mon Sep 17 00:00:00 2001 |
| From: Vaibhav Rustagi <vaibhavrustagi@google.com> |
| Date: Thu, 18 Jun 2020 10:59:32 -0700 |
| Subject: [PATCH] regex: fix read overrun [BZ #24114] |
| |
| Problem found by AddressSanitizer, reported by Hongxu Chen in: |
| https://debbugs.gnu.org/34140 |
| * posix/regexec.c (proceed_next_node): |
| Do not read past end of input buffer. |
| --- |
| posix/regexec.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| diff --git a/posix/regexec.c b/posix/regexec.c |
| index 4b1ab4ecff..1fd10df6c7 100644 |
| --- a/posix/regexec.c |
| +++ b/posix/regexec.c |
| @@ -1272,8 +1272,10 @@ proceed_next_node (const re_match_context_t *mctx, int nregs, regmatch_t *regs, |
| else if (naccepted) |
| { |
| char *buf = (char *) re_string_get_buffer (&mctx->input); |
| - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, |
| - naccepted) != 0) |
| + if (mctx->input.valid_len - *pidx < naccepted |
| + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, |
| + naccepted) |
| + != 0)) |
| return -1; |
| } |
| } |
| -- |
| 2.27.0.290.gba653c62da-goog |
| |