The following reply was made to PR bin/175213; it has been noted by GNATS. From: Mark Johnston <ma...@freebsd.org> To: bug-follo...@freebsd.org, deeptec...@gmail.com Cc: Subject: Re: bin/175213: bsdgrep(1) segfaults upon malicious input Date: Sun, 27 Jan 2013 09:41:33 -0500
--ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The attached patch should fix the problem. The bounds-checking code in IS_OUT_OF_BOUNDS is not quite right; based on the code in SHIFT, (j - 1) or (j + fg->len) must be valid indices into str_byte (depending on whether a reversed search is being done). I have a little program which reproduces this problem on my machine; it's posted here: http://people.freebsd.org/~markj/prs/175213/ Thanks, -Mark --ReaqsoxgOBHFXBhH Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="bsdgrep_bounds.diff" diff --git a/usr.bin/grep/regex/tre-fastmatch.c b/usr.bin/grep/regex/tre-fastmatch.c index b7a7c91..e363a28 100644 --- a/usr.bin/grep/regex/tre-fastmatch.c +++ b/usr.bin/grep/regex/tre-fastmatch.c @@ -101,9 +101,9 @@ static int fastcmp(const fastmatch_t *fg, const void *data, #define IS_OUT_OF_BOUNDS \ ((!fg->reversed \ - ? ((type == STR_WIDE) ? ((j + fg->wlen) > len) \ - : ((j + fg->len) > len)) \ - : (j < 0))) + ? ((type == STR_WIDE) ? ((j + fg->wlen) >= len) \ + : ((j + fg->len) >= len)) \ + : (j <= 0))) /* * Checks whether the new position after shifting in the input string --ReaqsoxgOBHFXBhH-- _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
