regcomp: Fix off-by-one bug in build_equiv_class [BZ #23396]

This bug is very similar to bug 23036: The existing code assumed that the length count included the length byte itself. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2025-01-12 04:00:17 +00:00 · 2018-07-20 11:58:51 +02:00 · 2018-07-20 11:58:51 +02:00 · 786658a088
commit 786658a088
parent 2d5c41ded9
2 changed files with 10 additions and 12 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
 2018-07-20  Florian Weimer  <fweimer@redhat.com>
 	[BZ #23396]
 	* posix/regcomp.c (build_equiv_class): When comparing weights, do
 	not compare an extra byte after the end of the weights.
 2018-07-20  Samuel Thibault  <samuel.thibault@ens-lyon.org>
 	* sysdeps/mach/hurd/i386/tls.h (_hurd_tls_init): Set multiple_threads
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@ -3531,19 +3531,11 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name)
 	    continue;
 	  /* Compare only if the length matches and the collation rule
 	     index is the same.  */
-	  if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24))
+	  if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24)
-	    {
+	      && memcmp (weights + (idx1 & 0xffffff) + 1,
-	      int cnt = 0;
+			 weights + (idx2 & 0xffffff) + 1, len) == 0)
 	      while (cnt <= len &&
 		     weights[(idx1 & 0xffffff) + 1 + cnt]
 		     == weights[(idx2 & 0xffffff) + 1 + cnt])
 		++cnt;
 	      if (cnt > len)
 	    bitset_set (sbcset, ch);
 	}
 	}
      /* Check whether the array has enough space.  */
      if (BE (*equiv_class_alloc == mbcset->nequiv_classes, 0))
 	{