From c52ef24829f95a819965214eeae28e3289a91a61 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 24 Nov 2021 14:16:09 -0800 Subject: [PATCH] regex: fix buffer read overrun in search [BZ#28470] Problem reported by Benno Schulenberg in: https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html * posix/regexec.c (re_search_internal): Use better bounds check. --- posix/regexec.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/posix/regexec.c b/posix/regexec.c index 83e9aaf8ca..6aeba3c0b4 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -758,10 +758,9 @@ re_search_internal (const regex_t *preg, const char *string, Idx length, offset = match_first - mctx.input.raw_mbs_idx; } - /* If MATCH_FIRST is out of the buffer, leave it as '\0'. - Note that MATCH_FIRST must not be smaller than 0. */ - ch = (match_first >= length - ? 0 : re_string_byte_at (&mctx.input, offset)); + /* Use buffer byte if OFFSET is in buffer, otherwise '\0'. */ + ch = (offset < mctx.input.valid_len + ? re_string_byte_at (&mctx.input, offset) : 0); if (fastmap[ch]) break; match_first += incr;