glibc/SOURCES/glibc-upstream-2.34-356.patch
2023-03-29 06:16:33 +00:00

31 lines
1.2 KiB
Diff

commit fa5044f1e38f4f6515253449b6ca77fd14f53b8e
Author: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed Nov 24 14:16:09 2021 -0800
regex: fix buffer read overrun in search [BZ#28470]
Problem reported by Benno Schulenberg in:
https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html
* posix/regexec.c (re_search_internal): Use better bounds check.
(cherry picked from commit c52ef24829f95a819965214eeae28e3289a91a61)
diff --git a/posix/regexec.c b/posix/regexec.c
index 83e9aaf8cad956a2..6aeba3c0b4da23cc 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -758,10 +758,9 @@ re_search_internal (const regex_t *preg, const char *string, Idx length,
offset = match_first - mctx.input.raw_mbs_idx;
}
- /* If MATCH_FIRST is out of the buffer, leave it as '\0'.
- Note that MATCH_FIRST must not be smaller than 0. */
- ch = (match_first >= length
- ? 0 : re_string_byte_at (&mctx.input, offset));
+ /* Use buffer byte if OFFSET is in buffer, otherwise '\0'. */
+ ch = (offset < mctx.input.valid_len
+ ? re_string_byte_at (&mctx.input, offset) : 0);
if (fastmap[ch])
break;
match_first += incr;