Re: heap-buffer overflow when searching for regex @\*

Mon, 18 Oct 2021 15:11:01 -0700

Thanks for the bug report. I reproduced the problem with texinfo and installed the attached Gnulib patch, which fixed things for me with texinfo. I didn't quite follow the 'nano' instructions but I hope this fixes the problem there too. 

As this is a glibc bug I filed a bug report there too:

https://sourceware.org/bugzilla/show_bug.cgi?id=28470

and I'll try to make sure it gets fixed there too.
From f14df82a3f36f833ad1174d293c9c2e33f2a2bea Mon Sep 17 00:00:00 2001
From: Paul Eggert <[email protected]>
Date: Mon, 18 Oct 2021 14:50:16 -0700
Subject: [PATCH] regex: fix buffer read overrrun

* config/srclist.txt: Remove posix/regexec.c for now.
* lib/regexec.c (re_search_internal):
Fix buffer read overrun reported by Benno Schulenberg in:
https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html
---
 ChangeLog          | 7 +++++++
 config/srclist.txt | 2 +-
 lib/regexec.c      | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 87fd99f6a..a017453dc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2021-10-18  Paul Eggert  <[email protected]>
+
+	regex: fix buffer read overrrun
+	* lib/regexec.c (re_search_internal):
+	Fix buffer read overrun reported by Benno Schulenberg in:
+	https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html
+
 2021-10-15  Paul Eggert  <[email protected]>
 
 	nproc: port better to macOS 10.14
diff --git a/config/srclist.txt b/config/srclist.txt
index 16b61721a..83e251def 100644
--- a/config/srclist.txt
+++ b/config/srclist.txt
@@ -70,7 +70,7 @@ $LIBCSRC posix/regex.c			lib
 $LIBCSRC posix/regex.h			lib
 $LIBCSRC posix/regex_internal.c		lib
 $LIBCSRC posix/regex_internal.h		lib
-$LIBCSRC posix/regexec.c		lib
+#$LIBCSRC posix/regexec.c		lib
 #$LIBCSRC stdlib/canonicalize           lib/canonicalize-lgpl.c
 #$LIBCSRC sysdeps/generic/eloop-threshold.h	lib
 $LIBCSRC time/timegm.c			lib
diff --git a/lib/regexec.c b/lib/regexec.c
index 83e9aaf8c..a955aa218 100644
--- a/lib/regexec.c
+++ b/lib/regexec.c
@@ -760,7 +760,7 @@ re_search_internal (const regex_t *preg, const char *string, Idx length,
 		}
 	      /* If MATCH_FIRST is out of the buffer, leave it as '\0'.
 		 Note that MATCH_FIRST must not be smaller than 0.  */
-	      ch = (match_first >= length
+	      ch = (mctx.input.valid_len <= offset
 		    ? 0 : re_string_byte_at (&mctx.input, offset));
 	      if (fastmap[ch])
 		break;
-- 
2.31.1

Reply via email to