diff options
| author | Arnold D. Robbins <arnold@skeeve.com> | 2019-01-25 11:54:54 +0200 |
|---|---|---|
| committer | Arnold D. Robbins <arnold@skeeve.com> | 2019-01-25 11:54:54 +0200 |
| commit | dc189dc65b6c9b0f521beb4c6105130c6e33a274 (patch) | |
| tree | 8af244ee2323bac0978e35cabf6e5dd285b6ecde | |
| parent | fe85aef5cc3e31450c6850c996aa348a68c42ca7 (diff) | |
| download | gawk-4.2-stable.tar.gz | |
Bug fix in support/regexec.c.gawk-4.2-stable
| -rw-r--r-- | support/ChangeLog | 7 | ||||
| -rw-r--r-- | support/regexec.c | 6 |
2 files changed, 11 insertions, 2 deletions
diff --git a/support/ChangeLog b/support/ChangeLog index a941f28c..b006a670 100644 --- a/support/ChangeLog +++ b/support/ChangeLog @@ -1,3 +1,10 @@ +2019-01-21 Paul Eggert <eggert@cs.ucla.edu> + + regex: fix read overrun + Problem found by AddressSanitizer, reported by Hongxu Chen in: + https://debbugs.gnu.org/cgi/34140 + * regexec.c (proceed_next_node): Do not read past end of input buffer. + 2019-01-09 John E. Malmberg <wb8tyw@qsl.net> * cdefs.h, xalloc.h: For non GCC, have diff --git a/support/regexec.c b/support/regexec.c index ecb430d3..ff6ab120 100644 --- a/support/regexec.c +++ b/support/regexec.c @@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, else if (naccepted) { char *buf = (char *) re_string_get_buffer (&mctx->input); - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, - naccepted) != 0) + if (mctx->input.valid_len - *pidx < naccepted + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, + naccepted) + != 0)) return -1; } } |