From f3a6cc0a560a17f32a3e90d2f20501a53cab6058 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Tue, 29 Nov 2011 10:52:22 +0100
Subject: Fix access after end of search string in regex matcher

---
 locale/weight.h   | 11 ++++++-----
 locale/weightwc.h |  9 +++++----
 2 files changed, 11 insertions(+), 9 deletions(-)

(limited to 'locale')

diff --git a/locale/weight.h b/locale/weight.h
index dc70a00be5..967e176ca6 100644
--- a/locale/weight.h
+++ b/locale/weight.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996,1997,1998,1999,2000,2003,2004 Free Software Foundation, Inc.
+/* Copyright (C) 1996,1997,1998,1999,2000,2003,2004,2011 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Written by Ulrich Drepper, <drepper@cygnus.com>.
 
@@ -20,7 +20,7 @@
 /* Find index of weight.  */
 auto inline int32_t
 __attribute ((always_inline))
-findidx (const unsigned char **cpp)
+findidx (const unsigned char **cpp, size_t len)
 {
   int_fast32_t i = table[*(*cpp)++];
   const unsigned char *cp;
@@ -34,6 +34,7 @@ findidx (const unsigned char **cpp)
      Search for the correct one.  */
   cp = &extra[-i];
   usrc = *cpp;
+  --len;
   while (1)
     {
       size_t nhere;
@@ -56,7 +57,7 @@ findidx (const unsigned char **cpp)
 	     already.  */
 	  size_t cnt;
 
-	  for (cnt = 0; cnt < nhere; ++cnt)
+	  for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
 	    if (cp[cnt] != usrc[cnt])
 	      break;
 
@@ -79,13 +80,13 @@ findidx (const unsigned char **cpp)
 	  size_t cnt;
 	  size_t offset = 0;
 
-	  for (cnt = 0; cnt < nhere; ++cnt)
+	  for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
 	    if (cp[cnt] != usrc[cnt])
 	      break;
 
 	  if (cnt != nhere)
 	    {
-	      if (cp[cnt] > usrc[cnt])
+	      if (cnt == len || cp[cnt] > usrc[cnt])
 		{
 		  /* Cannot be in this range.  */
 		  cp += 2 * nhere;
diff --git a/locale/weightwc.h b/locale/weightwc.h
index 9ea1126a24..7862091426 100644
--- a/locale/weightwc.h
+++ b/locale/weightwc.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-2001,2003,2004,2005,2007 Free Software Foundation, Inc.
+/* Copyright (C) 1996-2001,2003,2004,2005,2007,2011 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Written by Ulrich Drepper, <drepper@cygnus.com>.
 
@@ -20,7 +20,7 @@
 /* Find index of weight.  */
 auto inline int32_t
 __attribute ((always_inline))
-findidx (const wint_t **cpp)
+findidx (const wint_t **cpp, size_t len)
 {
   wint_t ch = *(*cpp)++;
   int32_t i = __collidx_table_lookup ((const char *) table, ch);
@@ -32,6 +32,7 @@ findidx (const wint_t **cpp)
   /* Oh well, more than one sequence starting with this byte.
      Search for the correct one.  */
   const int32_t *cp = (const int32_t *) &extra[-i];
+  --len;
   while (1)
     {
       size_t nhere;
@@ -54,7 +55,7 @@ findidx (const wint_t **cpp)
 	     already.  */
 	  size_t cnt;
 
-	  for (cnt = 0; cnt < nhere; ++cnt)
+	  for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
 	    if (cp[cnt] != usrc[cnt])
 	      break;
 
@@ -75,7 +76,7 @@ findidx (const wint_t **cpp)
 	  size_t cnt;
 	  size_t offset;
 
-	  for (cnt = 0; cnt < nhere - 1; ++cnt)
+	  for (cnt = 0; cnt < nhere - 1 && cnt < len; ++cnt)
 	    if (cp[cnt] != usrc[cnt])
 	      break;
 
-- 
cgit 1.4.1