regex: fix buffer read overrun in search [BZ#28470]

Problem reported by Benno Schulenberg in:
https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html
* posix/regexec.c (re_search_internal): Use better bounds check.

(cherry picked from commit c52ef24829)
This commit is contained in:
Paul Eggert 2021-11-24 14:16:09 -08:00 committed by Florian Weimer
parent 86a701a204
commit fa5044f1e3
2 changed files with 4 additions and 4 deletions

1
NEWS
View File

@ -77,6 +77,7 @@ The following bugs are resolved with this release:
[28357] deadlock between pthread_create and ELF constructors
[28361] nptl: Avoid setxid deadlock with blocked signals in thread exit
[28407] pthread_kill assumes that kill and tgkill are equivalent
[28470] Buffer read overrun in regular expression searching
[28524] Conversion from ISO-2022-JP-3 with iconv may emit spurious NULs
[28532] powerpc64[le]: CFI for assembly templated syscalls is incorrect
[28607] Masked signals are delivered on thread exit

View File

@ -758,10 +758,9 @@ re_search_internal (const regex_t *preg, const char *string, Idx length,
offset = match_first - mctx.input.raw_mbs_idx;
}
/* If MATCH_FIRST is out of the buffer, leave it as '\0'.
Note that MATCH_FIRST must not be smaller than 0. */
ch = (match_first >= length
? 0 : re_string_byte_at (&mctx.input, offset));
/* Use buffer byte if OFFSET is in buffer, otherwise '\0'. */
ch = (offset < mctx.input.valid_len
? re_string_byte_at (&mctx.input, offset) : 0);
if (fastmap[ch])
break;
match_first += incr;