From 8f4aa7ddb908369db971d4c31850ca1eef2e3687 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Sun, 1 Nov 2020 14:15:42 -0700 Subject: setexpr: Correct buffer overflow bug and enable tests At present when more than one substitution is made this function overwrites its buffers. Fix this bug and update the tests now that they can pass. Also update the debug code to show all substrings, since at present it omits the final one. Fixes: 855f18ea0e6 ("setexpr: add regex substring matching and substitution") Signed-off-by: Simon Glass --- cmd/setexpr.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'cmd/setexpr.c') diff --git a/cmd/setexpr.c b/cmd/setexpr.c index 0cc7cf1..d364dbc 100644 --- a/cmd/setexpr.c +++ b/cmd/setexpr.c @@ -155,11 +155,11 @@ int setexpr_regex_sub(char *data, uint data_size, char *nbuf, uint nbuf_size, (void) memset(caps, 0, sizeof(caps)); - res = slre_match(&slre, datap, len, caps); + res = slre_match(&slre, datap, len - (datap - data), caps); debug("Result: %d\n", res); - for (i = 0; i < slre.num_caps; i++) { + for (i = 0; i <= slre.num_caps; i++) { if (caps[i].len > 0) { debug("Substring %d: [%.*s]\n", i, caps[i].len, caps[i].ptr); @@ -231,7 +231,7 @@ int setexpr_regex_sub(char *data, uint data_size, char *nbuf, uint nbuf_size, break; np = substitute(np, &nlen, - nbuf_size, + nbuf_size - (np - nbuf), backref, 2, caps[i].ptr, caps[i].len); @@ -241,8 +241,8 @@ int setexpr_regex_sub(char *data, uint data_size, char *nbuf, uint nbuf_size, } debug("## SUBST(2) ## %s\n", nbuf); - datap = substitute(datap, &len, data_size, old, olen, - nbuf, nlen); + datap = substitute(datap, &len, data_size - (datap - data), + old, olen, nbuf, nlen); if (datap == NULL) return 1; -- cgit v1.1