| CVE: CVE-2019-9169 |
| CVE: CVE-2018-20796 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@intel.com> |
| |
| From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001 |
| From: Paul Eggert <eggert@cs.ucla.edu> |
| Date: Mon, 21 Jan 2019 11:08:13 -0800 |
| Subject: [PATCH] regex: fix read overrun [BZ #24114] |
| |
| Problem found by AddressSanitizer, reported by Hongxu Chen in: |
| https://debbugs.gnu.org/34140 |
| * posix/regexec.c (proceed_next_node): |
| Do not read past end of input buffer. |
| --- |
| posix/regexec.c | 6 ++++-- |
| 2 files changed, 13 insertions(+), 3 deletions(-) |
| |
| diff --git a/posix/regexec.c b/posix/regexec.c |
| index 91d5a79..084b122 100644 |
| --- a/posix/regexec.c |
| +++ b/posix/regexec.c |
| @@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, |
| else if (naccepted) |
| { |
| char *buf = (char *) re_string_get_buffer (&mctx->input); |
| - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, |
| - naccepted) != 0) |
| + if (mctx->input.valid_len - *pidx < naccepted |
| + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, |
| + naccepted) |
| + != 0)) |
| return -1; |
| } |
| } |
| -- |
| 2.9.3 |