https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252403
--- Comment #1 from commit-h...@freebsd.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d36b5dbe28d8ebab219fa29db533734d47f0c4a3 commit d36b5dbe28d8ebab219fa29db533734d47f0c4a3 Author: Miod Vallat <m...@online.fr> AuthorDate: 2021-01-08 18:59:00 +0000 Commit: Kyle Evans <kev...@freebsd.org> CommitDate: 2021-01-08 19:58:35 +0000 libc: regex: rework unsafe pointer arithmetic regcomp.c uses the "start + count < end" idiom to check that there are "count" bytes available in an array of char "start" and "end" both point to. This is fine, unless "start + count" goes beyond the last element of the array. In this case, pedantic interpretation of the C standard makes the comparison of such a pointer against "end" undefined, and optimizers from hell will happily remove as much code as possible because of this. An example of this occurs in regcomp.c's bothcases(), which defines bracket[3], sets "next" to "bracket" and "end" to "bracket + 2". Then it invokes p_bracket(), which starts with "if (p->next + 5 < p->end)"... Because bothcases() and p_bracket() are static functions in regcomp.c, there is a real risk of miscompilation if aggressive inlining happens. The following diff rewrites the "start + count < end" constructs into "end - start > count". Assuming "end" and "start" are always pointing in the array (such as "bracket[3]" above), "end - start" is well-defined and can be compared without trouble. As a bonus, MORE2() implies MORE() therefore SEETWO() can be simplified a bit. PR: 252403 lib/libc/regex/regcomp.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
