regex: fix buffer read overrun in search [BZ#28470]

Problem reported by Benno Schulenberg in: https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html * posix/regexec.c (re_search_internal): Use better bounds check.
author: Paul Eggert <eggert@cs.ucla.edu> 2021-11-24 14:16:09 -0800
committer: Paul Eggert <eggert@cs.ucla.edu> 2021-11-24 14:16:09 -0800
commit: c52ef24829f95a819965214eeae28e3289a91a61 (patch)
tree: a6b392f79ecdf87f3c0bbe299b19ab6cab414dcc /posix/regexec.c
parent: c58d3b7d00d5b4295dfb884b38f3e5945227fa01 (diff)
download: glibc-c52ef24829f95a819965214eeae28e3289a91a61.zip
glibc-c52ef24829f95a819965214eeae28e3289a91a61.tar.gz
glibc-c52ef24829f95a819965214eeae28e3289a91a61.tar.bz2
1 files changed, 3 insertions, 4 deletions
diff --git a/posix/regexec.c b/posix/regexec.c
index 83e9aaf..6aeba3c 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -758,10 +758,9 @@ re_search_internal (const regex_t *preg, const char *string, Idx length,
 
 		  offset = match_first - mctx.input.raw_mbs_idx;
 		}
-	      /* If MATCH_FIRST is out of the buffer, leave it as '\0'.
-		 Note that MATCH_FIRST must not be smaller than 0.  */
-	      ch = (match_first >= length
-		    ? 0 : re_string_byte_at (&mctx.input, offset));
+	      /* Use buffer byte if OFFSET is in buffer, otherwise '\0'.  */
+	      ch = (offset < mctx.input.valid_len
+		    ? re_string_byte_at (&mctx.input, offset) : 0);
 	      if (fastmap[ch])
 		break;
 	      match_first += incr;
author	Paul Eggert <eggert@cs.ucla.edu>	2021-11-24 14:16:09 -0800
committer	Paul Eggert <eggert@cs.ucla.edu>	2021-11-24 14:16:09 -0800
commit	c52ef24829f95a819965214eeae28e3289a91a61 (patch)
tree	a6b392f79ecdf87f3c0bbe299b19ab6cab414dcc /posix/regexec.c
parent	c58d3b7d00d5b4295dfb884b38f3e5945227fa01 (diff)
download	glibc-c52ef24829f95a819965214eeae28e3289a91a61.zip glibc-c52ef24829f95a819965214eeae28e3289a91a61.tar.gz glibc-c52ef24829f95a819965214eeae28e3289a91a61.tar.bz2