diff options
author | Florian Weimer <fweimer@redhat.com> | 2018-07-20 11:58:51 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2018-07-20 11:58:51 +0200 |
commit | 786658a08829e8a303d846406812f9245846e99c (patch) | |
tree | f29b3d0d1271d0a1c9555fce35a906388ac783e5 /posix/regcomp.c | |
parent | 2d5c41ded92bf1247ba2a29ad2074cf79dc15669 (diff) | |
download | glibc-786658a08829e8a303d846406812f9245846e99c.zip glibc-786658a08829e8a303d846406812f9245846e99c.tar.gz glibc-786658a08829e8a303d846406812f9245846e99c.tar.bz2 |
regcomp: Fix off-by-one bug in build_equiv_class [BZ #23396]
This bug is very similar to bug 23036: The existing code assumed that
the length count included the length byte itself.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Diffstat (limited to 'posix/regcomp.c')
-rw-r--r-- | posix/regcomp.c | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/posix/regcomp.c b/posix/regcomp.c index 7b5ddaa..545d188 100644 --- a/posix/regcomp.c +++ b/posix/regcomp.c @@ -3531,18 +3531,10 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name) continue; /* Compare only if the length matches and the collation rule index is the same. */ - if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24)) - { - int cnt = 0; - - while (cnt <= len && - weights[(idx1 & 0xffffff) + 1 + cnt] - == weights[(idx2 & 0xffffff) + 1 + cnt]) - ++cnt; - - if (cnt > len) - bitset_set (sbcset, ch); - } + if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24) + && memcmp (weights + (idx1 & 0xffffff) + 1, + weights + (idx2 & 0xffffff) + 1, len) == 0) + bitset_set (sbcset, ch); } /* Check whether the array has enough space. */ if (BE (*equiv_class_alloc == mbcset->nequiv_classes, 0)) |