diff options
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | posix/regexec.c | 6 |
2 files changed, 13 insertions, 3 deletions
@@ -1,3 +1,11 @@ +2019-01-31 Paul Eggert <eggert@cs.ucla.edu> + + regex: fix read overrun [BZ #24114] + Problem found by AddressSanitizer, reported by Hongxu Chen in: + https://debbugs.gnu.org/34140 + * posix/regexec.c (proceed_next_node): + Do not read past end of input buffer. + 2019-01-31 Florian Weimer <fweimer@redhat.com> [BZ #24059] @@ -18002,7 +18010,7 @@ (CFLAGS-wcstof_l.c): Likewise. (CPPFLAGS-tst-wchar-h.c): Likewise. (CPPFLAGS-wcstold_l.c): Likewise. ---- + 2017-12-11 Paul A. Clarke <pc@us.ibm.com> * sysdeps/ieee754/flt-32/s_cosf.c: New implementation. diff --git a/posix/regexec.c b/posix/regexec.c index 91d5a797b8..084b1222d9 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, else if (naccepted) { char *buf = (char *) re_string_get_buffer (&mctx->input); - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, - naccepted) != 0) + if (mctx->input.valid_len - *pidx < naccepted + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, + naccepted) + != 0)) return -1; } } |