summary refs log tree commit diff
path: root/posix
diff options
context:
space:
mode:
authorAndreas Schwab <schwab@redhat.com>2011-11-29 10:52:22 +0100
committerAndreas Schwab <schwab@redhat.com>2011-11-30 11:03:20 +0100
commitf3a6cc0a560a17f32a3e90d2f20501a53cab6058 (patch)
tree52085ca0dbca778c7cdf92bf0ddebe8a6727a432 /posix
parentc5a0802a682dba23f92d47f0f99775aebfbe2539 (diff)
downloadglibc-f3a6cc0a560a17f32a3e90d2f20501a53cab6058.tar.gz
glibc-f3a6cc0a560a17f32a3e90d2f20501a53cab6058.tar.xz
glibc-f3a6cc0a560a17f32a3e90d2f20501a53cab6058.zip
Fix access after end of search string in regex matcher
Diffstat (limited to 'posix')
-rw-r--r--posix/fnmatch_loop.c4
-rw-r--r--posix/regcomp.c9
-rw-r--r--posix/regex_internal.h2
-rw-r--r--posix/regexec.c2
4 files changed, 8 insertions, 9 deletions
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 18a6667609..72bd3ee856 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -412,7 +412,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 			  _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
 # endif
 
-			idx = findidx (&cp);
+			idx = findidx (&cp, 1);
 			if (idx != 0)
 			  {
 			    /* We found a table entry.  Now see whether the
@@ -422,7 +422,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 			    int32_t idx2;
 			    const UCHAR *np = (const UCHAR *) n;
 
-			    idx2 = findidx (&np);
+			    idx2 = findidx (&np, string_end - n);
 			    if (idx2 != 0
 				&& (idx >> 24) == (idx2 >> 24)
 				&& len == weights[idx2 & 0xffffff])
diff --git a/posix/regcomp.c b/posix/regcomp.c
index b238c08225..34ee845081 100644
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@@ -1,5 +1,5 @@
 /* Extended regular expression matching and search library.
-   Copyright (C) 2002-2007,2009,2010 Free Software Foundation, Inc.
+   Copyright (C) 2002-2007,2009,2010,2011 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Isamu Hasegawa <isamu@yamato.ibm.com>.
 
@@ -3409,19 +3409,18 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name)
 						   _NL_COLLATE_EXTRAMB);
       indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
 						_NL_COLLATE_INDIRECTMB);
-      idx1 = findidx (&cp);
-      if (BE (idx1 == 0 || cp < name + strlen ((const char *) name), 0))
+      idx1 = findidx (&cp, -1);
+      if (BE (idx1 == 0 || *cp != '\0', 0))
 	/* This isn't a valid character.  */
 	return REG_ECOLLATE;
 
       /* Build single byte matcing table for this equivalence class.  */
-      char_buf[1] = (unsigned char) '\0';
       len = weights[idx1 & 0xffffff];
       for (ch = 0; ch < SBC_MAX; ++ch)
 	{
 	  char_buf[0] = ch;
 	  cp = char_buf;
-	  idx2 = findidx (&cp);
+	  idx2 = findidx (&cp, 1);
 /*
 	  idx2 = table[ch];
 */
diff --git a/posix/regex_internal.h b/posix/regex_internal.h
index 74dd23074d..1e4e16772e 100644
--- a/posix/regex_internal.h
+++ b/posix/regex_internal.h
@@ -755,7 +755,7 @@ re_string_elem_size_at (const re_string_t *pstr, int idx)
       indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
 						_NL_COLLATE_INDIRECTMB);
       p = pstr->mbs + idx;
-      findidx (&p);
+      findidx (&p, pstr->len - idx);
       return p - pstr->mbs - idx;
     }
   else
diff --git a/posix/regexec.c b/posix/regexec.c
index 9e0c56599e..3ea810bb95 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -3924,7 +3924,7 @@ check_node_accept_bytes (const re_dfa_t *dfa, int node_idx,
 		_NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAMB);
 	      indirect = (const int32_t *)
 		_NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
-	      int32_t idx = findidx (&cp);
+	      int32_t idx = findidx (&cp, elem_len);
 	      if (idx > 0)
 		for (i = 0; i < cset->nequiv_classes; ++i)
 		  {