| Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame] | 1 | CVE: CVE-2019-9169 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 4 | |
| 5 | From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001 |
| 6 | From: Paul Eggert <eggert@cs.ucla.edu> |
| 7 | Date: Mon, 21 Jan 2019 11:08:13 -0800 |
| 8 | Subject: [PATCH] regex: fix read overrun [BZ #24114] |
| 9 | |
| 10 | Problem found by AddressSanitizer, reported by Hongxu Chen in: |
| 11 | https://debbugs.gnu.org/34140 |
| 12 | * posix/regexec.c (proceed_next_node): |
| 13 | Do not read past end of input buffer. |
| 14 | --- |
| 15 | posix/regexec.c | 6 ++++-- |
| 16 | 2 files changed, 13 insertions(+), 3 deletions(-) |
| 17 | |
| 18 | diff --git a/posix/regexec.c b/posix/regexec.c |
| 19 | index 91d5a79..084b122 100644 |
| 20 | --- a/posix/regexec.c |
| 21 | +++ b/posix/regexec.c |
| 22 | @@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, |
| 23 | else if (naccepted) |
| 24 | { |
| 25 | char *buf = (char *) re_string_get_buffer (&mctx->input); |
| 26 | - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, |
| 27 | - naccepted) != 0) |
| 28 | + if (mctx->input.valid_len - *pidx < naccepted |
| 29 | + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, |
| 30 | + naccepted) |
| 31 | + != 0)) |
| 32 | return -1; |
| 33 | } |
| 34 | } |
| 35 | -- |
| 36 | 2.9.3 |