diff mbox

Fix array bounds violation in regex matcher (bug 25149)

Message ID mvmh83qh76x.fsf@suse.de
State Committed
Commit fc141ea78ee3d87c67b18488827fe2d89c9343e7
Headers

Commit Message

Andreas Schwab Oct. 30, 2019, 10:13 a.m. UTC 
  If the regex has more subexpressions than the number of elements allocated
in the regmatch_t array passed to regexec then proceed_next_node may
access the regmatch_t array outside its bounds.

No testcase added because even without this bug it would then crash in
pop_fail_stack which is bug 11053.
---
 posix/regexec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Paul Eggert Nov. 6, 2019, 5:53 a.m. UTC | #1 
Thanks, this patch looks good to me.
diff mbox

Patch

diff --git a/posix/regexec.c b/posix/regexec.c
index 4ff30a79c0..91c86ac406 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -1285,10 +1285,13 @@  proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
       if (type == OP_BACK_REF)
 	{
 	  Idx subexp_idx = dfa->nodes[node].opr.idx + 1;
-	  naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
+	  if (subexp_idx < nregs)
+	    naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
 	  if (fs != NULL)
 	    {
-	      if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1)
+	      if (subexp_idx >= nregs
+		  || regs[subexp_idx].rm_so == -1
+		  || regs[subexp_idx].rm_eo == -1)
 		return -1;
 	      else if (naccepted)
 		{