Module Name: src
Committed By: christos
Date: Thu Feb 7 22:13:52 UTC 2019
Modified Files:
src/lib/libc/regex: regcomp.c
Log Message:
Fix OOB read from FreeBSD:
The bug is an out-of-bounds read detected with address sanitizer that
happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's
equal to "GS\x00". In that case len will be equal to 4, and the
strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the
cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.
Checking the length using strlen() instead eliminates the issue.
The bug was found in LLVM with oss-fuzz:
https://reviews.llvm.org/D39380
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/lib/libc/regex/regcomp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
