From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 21 Jan 2019 11:08:13 -0800 Subject: [PATCH] regex: fix read overrun [BZ #24114] Problem found by AddressSanitizer, reported by Hongxu Chen in: https://debbugs.gnu.org/34140 * posix/regexec.c (proceed_next_node): Do not read past end of input buffer. Upstream-Status: Backport https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9 CVE: CVE-2019-9169 Signed-off-by: Armin Kuster --- ChangeLog | 10 +++++++++- posix/regexec.c | 6 ++++-- 2 files changed, 13 insertions(+), 3 deletions(-) Index: git/ChangeLog =================================================================== --- git.orig/ChangeLog +++ git/ChangeLog @@ -1,3 +1,11 @@ +2019-01-31 Paul Eggert + + regex: fix read overrun [BZ #24114] + Problem found by AddressSanitizer, reported by Hongxu Chen in: + https://debbugs.gnu.org/34140 + * posix/regexec.c (proceed_next_node): + Do not read past end of input buffer. + 2018-09-30 Martin Jansa Partial fix for [BZ #23716] * locale/weight.h: Fix build with -Os. @@ -10917,7 +10925,7 @@ (CFLAGS-wcstof_l.c): Likewise. (CPPFLAGS-tst-wchar-h.c): Likewise. (CPPFLAGS-wcstold_l.c): Likewise. ---- + 2017-12-11 Paul A. Clarke * sysdeps/ieee754/flt-32/s_cosf.c: New implementation. Index: git/posix/regexec.c =================================================================== --- git.orig/posix/regexec.c +++ git/posix/regexec.c @@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_contex else if (naccepted) { char *buf = (char *) re_string_get_buffer (&mctx->input); - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, - naccepted) != 0) + if (mctx->input.valid_len - *pidx < naccepted + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, + naccepted) + != 0)) return -1; } }