mirror of
https://sourceware.org/git/glibc.git
synced 2024-12-24 11:41:07 +00:00
regcomp: Fix off-by-one bug in build_equiv_class [BZ #23396]
This bug is very similar to bug 23036: The existing code assumed that the length count included the length byte itself. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
This commit is contained in:
parent
2d5c41ded9
commit
786658a088
@ -1,3 +1,9 @@
|
||||
2018-07-20 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
[BZ #23396]
|
||||
* posix/regcomp.c (build_equiv_class): When comparing weights, do
|
||||
not compare an extra byte after the end of the weights.
|
||||
|
||||
2018-07-20 Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
|
||||
* sysdeps/mach/hurd/i386/tls.h (_hurd_tls_init): Set multiple_threads
|
||||
|
@ -3531,19 +3531,11 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name)
|
||||
continue;
|
||||
/* Compare only if the length matches and the collation rule
|
||||
index is the same. */
|
||||
if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24))
|
||||
{
|
||||
int cnt = 0;
|
||||
|
||||
while (cnt <= len &&
|
||||
weights[(idx1 & 0xffffff) + 1 + cnt]
|
||||
== weights[(idx2 & 0xffffff) + 1 + cnt])
|
||||
++cnt;
|
||||
|
||||
if (cnt > len)
|
||||
if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24)
|
||||
&& memcmp (weights + (idx1 & 0xffffff) + 1,
|
||||
weights + (idx2 & 0xffffff) + 1, len) == 0)
|
||||
bitset_set (sbcset, ch);
|
||||
}
|
||||
}
|
||||
/* Check whether the array has enough space. */
|
||||
if (BE (*equiv_class_alloc == mbcset->nequiv_classes, 0))
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user