forked from rpms/glibc
1708d98eba
* Mon Nov 14 2022 Arjun Shankar <arjun@redhat.com> - 2.34-49 - Sync with upstream branch release/2.34/master, commit: 75b0edb7ef338084e53925139ae81fb0dfc07dd4: - Update NEWS file in the right place - Linux: Support __IPC_64 in sysvctl *ctl command arguments (bug 29771) - io: Fix use-after-free in ftw [BZ #26779] - io: Fix ftw internal realloc buffer (BZ #28126) - regex: fix buffer read overrun in search [BZ#28470] - regex: copy back from Gnulib - Allow #pragma GCC in headers in conformtest - Fix memmove call in vfprintf-internal.c:group_number - mktime: improve heuristic for ca-1986 Indiana DST - Makerules: fix MAKEFLAGS assignment for upcoming make-4.4 [BZ# 29564] - linux: Fix generic struct_stat for 64 bit time (BZ# 29657) - elf: Do not completely clear reused namespace in dlmopen (bug 29600) - nss: Use shared prefix in IPv4 address in tst-reload1 - nss: Fix tst-nss-files-hosts-long on single-stack hosts (bug 24816) - nss: Implement --no-addrconfig option for getent Resolves: #2141728 Resolves: #2110357 Resolves: #2141685
31 lines
1.2 KiB
Diff
31 lines
1.2 KiB
Diff
commit fa5044f1e38f4f6515253449b6ca77fd14f53b8e
|
|
Author: Paul Eggert <eggert@cs.ucla.edu>
|
|
Date: Wed Nov 24 14:16:09 2021 -0800
|
|
|
|
regex: fix buffer read overrun in search [BZ#28470]
|
|
|
|
Problem reported by Benno Schulenberg in:
|
|
https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html
|
|
* posix/regexec.c (re_search_internal): Use better bounds check.
|
|
|
|
(cherry picked from commit c52ef24829f95a819965214eeae28e3289a91a61)
|
|
|
|
diff --git a/posix/regexec.c b/posix/regexec.c
|
|
index 83e9aaf8cad956a2..6aeba3c0b4da23cc 100644
|
|
--- a/posix/regexec.c
|
|
+++ b/posix/regexec.c
|
|
@@ -758,10 +758,9 @@ re_search_internal (const regex_t *preg, const char *string, Idx length,
|
|
|
|
offset = match_first - mctx.input.raw_mbs_idx;
|
|
}
|
|
- /* If MATCH_FIRST is out of the buffer, leave it as '\0'.
|
|
- Note that MATCH_FIRST must not be smaller than 0. */
|
|
- ch = (match_first >= length
|
|
- ? 0 : re_string_byte_at (&mctx.input, offset));
|
|
+ /* Use buffer byte if OFFSET is in buffer, otherwise '\0'. */
|
|
+ ch = (offset < mctx.input.valid_len
|
|
+ ? re_string_byte_at (&mctx.input, offset) : 0);
|
|
if (fastmap[ch])
|
|
break;
|
|
match_first += incr;
|