From patchwork Fri Jul 13 15:35:40 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 28385
Received: (qmail 129432 invoked by alias); 13 Jul 2018 15:35:44 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 129421 invoked by uid 89); 13 Jul 2018 15:35:43 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	KAM_LAZY_DOMAIN_SECURITY,
	SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=off-by-one,
	offbyone
X-HELO: mx1.redhat.com
Date: Fri, 13 Jul 2018 17:35:40 +0200
To: libc-alpha@sourceware.org
Subject: [PATCH] regcomp: Fix off-by-one bug in build_equiv_class [BZ #23396]
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Message-Id: <20180713153540.2B5BB43994575@oldenburg.str.redhat.com>
From: fweimer@redhat.com (Florian Weimer)

This bug is very similar to bug 23036: The existing code assumed that
the length count included the length byte itself.

2018-07-13  Florian Weimer  <fweimer@redhat.com>

	[BZ #23396]
	* posix/regcomp.c (build_equiv_class): When comparing weights, do
	not compare an extra byte after the end of the weights.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/posix/regcomp.c b/posix/regcomp.c
index 7b5ddaad0c..545d188468 100644
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@@ -3531,18 +3531,10 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name)
 	    continue;
 	  /* Compare only if the length matches and the collation rule
 	     index is the same.  */
-	  if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24))
-	    {
-	      int cnt = 0;
-
-	      while (cnt <= len &&
-		     weights[(idx1 & 0xffffff) + 1 + cnt]
-		     == weights[(idx2 & 0xffffff) + 1 + cnt])
-		++cnt;
-
-	      if (cnt > len)
-		bitset_set (sbcset, ch);
-	    }
+	  if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24)
+	      && memcmp (weights + (idx1 & 0xffffff) + 1,
+			 weights + (idx2 & 0xffffff) + 1, len) == 0)
+	    bitset_set (sbcset, ch);
 	}
       /* Check whether the array has enough space.  */
       if (BE (*equiv_class_alloc == mbcset->nequiv_classes, 0))