From patchwork Mon Aug 27 21:11:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Eggert X-Patchwork-Id: 29086 Received: (qmail 102811 invoked by alias); 27 Aug 2018 21:25:47 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 102715 invoked by uid 89); 27 Aug 2018 21:25:43 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_PASS autolearn=ham version=3.3.2 spammy=D*co, H*Ad:D*edu X-HELO: zimbra.cs.ucla.edu From: Paul Eggert To: libc-alpha@sourceware.org Cc: Paul Eggert Subject: [committed] regex: fix uninitialized memory access Date: Mon, 27 Aug 2018 14:11:49 -0700 Message-Id: <20180827211149.10421-4-eggert@cs.ucla.edu> In-Reply-To: <20180827211149.10421-3-eggert@cs.ucla.edu> References: <3db72f1d-1547-c5eb-cf78-d6198be62c55@redhat.com> <20180827211149.10421-1-eggert@cs.ucla.edu> <20180827211149.10421-2-eggert@cs.ucla.edu> <20180827211149.10421-3-eggert@cs.ucla.edu> I introduced this bug into gnulib in commit 8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10; eventually it was merged into glibc. The bug was found by project-repo and reported here: https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html Diagnosis and draft fix reported by Assaf Gordon here: https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html * posix/regex_internal.c (build_wcs_upper_buffer): Fix bug when mbrtowc returns 0. --- ChangeLog | 14 ++++++++++++++ posix/regex_internal.c | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 67ee6ff46b..819b56f4ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2018-08-25 Paul Eggert + + regex: fix uninitialized memory access + I introduced this bug into gnulib in commit + 8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10; + eventually it was merged into glibc. The bug was found by + project-repo and reported here: + https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html + Diagnosis and draft fix reported by Assaf Gordon here: + https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html + https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html + * posix/regex_internal.c (build_wcs_upper_buffer): + Fix bug when mbrtowc returns 0. + 2018-08-24 Carlos O'Donell * po/be.po: Update translation. diff --git a/posix/regex_internal.c b/posix/regex_internal.c index 7f0083b918..b10588f1cc 100644 --- a/posix/regex_internal.c +++ b/posix/regex_internal.c @@ -317,7 +317,7 @@ build_wcs_upper_buffer (re_string_t *pstr) mbclen = __mbrtowc (&wc, ((const char *) pstr->raw_mbs + pstr->raw_mbs_idx + byte_idx), remain_len, &pstr->cur_state); - if (BE (mbclen < (size_t) -2, 1)) + if (BE (0 < mbclen && mbclen < (size_t) -2, 1)) { wchar_t wcu = __towupper (wc); if (wcu != wc) @@ -386,7 +386,7 @@ build_wcs_upper_buffer (re_string_t *pstr) else p = (const char *) pstr->raw_mbs + pstr->raw_mbs_idx + src_idx; mbclen = __mbrtowc (&wc, p, remain_len, &pstr->cur_state); - if (BE (mbclen < (size_t) -2, 1)) + if (BE (0 < mbclen && mbclen < (size_t) -2, 1)) { wchar_t wcu = __towupper (wc); if (wcu != wc)