diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2018-08-28 21:54:28 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2018-08-28 21:54:28 +0200 |
| commit | 58559f14437d2aa71753a29fed435efa06aa4576 (patch) | |
| tree | 60a9a7e3458a59fa78b9f05faf752ee2cf3630e6 | |
| parent | aa8a3e4cdef20c50cb20f008864fff05cbfbdf29 (diff) | |
| download | glibc-58559f14437d2aa71753a29fed435efa06aa4576.tar.gz glibc-58559f14437d2aa71753a29fed435efa06aa4576.tar.xz glibc-58559f14437d2aa71753a29fed435efa06aa4576.zip | |
regex: fix uninitialized memory access
I introduced this bug into gnulib in commit 8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10; eventually it was merged into glibc. The bug was found by project-repo <bugs@feusi.co> and reported here: https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html Diagnosis and draft fix reported by Assaf Gordon here: https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html * posix/regex_internal.c (build_wcs_upper_buffer): Fix bug when mbrtowc returns 0. (cherry picked from commit bc680b336971305cb39896b30d72dc7101b62242)
| -rw-r--r-- | ChangeLog | 15 | ||||
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | posix/regex_internal.c | 4 |
3 files changed, 18 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog index ef83777833..8625e6c9f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2018-08-25 Paul Eggert <eggert@cs.ucla.edu> + + [BZ #23578] + regex: fix uninitialized memory access + I introduced this bug into gnulib in commit + 8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10; + eventually it was merged into glibc. The bug was found by + project-repo <bugs@feusi.co> and reported here: + https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html + Diagnosis and draft fix reported by Assaf Gordon here: + https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html + https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html + * posix/regex_internal.c (build_wcs_upper_buffer): + Fix bug when mbrtowc returns 0. + 2018-08-27 Martin Kuchta <martin.kuchta@netapp.com> Torvald Riegel <triegel@redhat.com> diff --git a/NEWS b/NEWS index 3073712cba..2855ffde58 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,7 @@ The following bugs are resolved with this release: [23497] readdir64@GLIBC_2.1 cannot parse the kernel directory stream [23521] nss_files aliases database file stream leak [23538] pthread_cond_broadcast: Fix waiters-after-spinning case + [23578] regex: Fix memory overread in re_compile_pattern Version 2.28 diff --git a/posix/regex_internal.c b/posix/regex_internal.c index 7f0083b918..b10588f1cc 100644 --- a/posix/regex_internal.c +++ b/posix/regex_internal.c @@ -317,7 +317,7 @@ build_wcs_upper_buffer (re_string_t *pstr) mbclen = __mbrtowc (&wc, ((const char *) pstr->raw_mbs + pstr->raw_mbs_idx + byte_idx), remain_len, &pstr->cur_state); - if (BE (mbclen < (size_t) -2, 1)) + if (BE (0 < mbclen && mbclen < (size_t) -2, 1)) { wchar_t wcu = __towupper (wc); if (wcu != wc) @@ -386,7 +386,7 @@ build_wcs_upper_buffer (re_string_t *pstr) else p = (const char *) pstr->raw_mbs + pstr->raw_mbs_idx + src_idx; mbclen = __mbrtowc (&wc, p, remain_len, &pstr->cur_state); - if (BE (mbclen < (size_t) -2, 1)) + if (BE (0 < mbclen && mbclen < (size_t) -2, 1)) { wchar_t wcu = __towupper (wc); if (wcu != wc) |