This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] Fix array bounds violation in regex matcher (bug 25149)
- From: Andreas Schwab <schwab at suse dot de>
- To: libc-alpha at sourceware dot org
- Date: Wed, 30 Oct 2019 11:13:42 +0100
- Subject: [PATCH] Fix array bounds violation in regex matcher (bug 25149)
If the regex has more subexpressions than the number of elements allocated
in the regmatch_t array passed to regexec then proceed_next_node may
access the regmatch_t array outside its bounds.
No testcase added because even without this bug it would then crash in
pop_fail_stack which is bug 11053.
---
posix/regexec.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/posix/regexec.c b/posix/regexec.c
index 4ff30a79c0..91c86ac406 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -1285,10 +1285,13 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
if (type == OP_BACK_REF)
{
Idx subexp_idx = dfa->nodes[node].opr.idx + 1;
- naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
+ if (subexp_idx < nregs)
+ naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
if (fs != NULL)
{
- if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1)
+ if (subexp_idx >= nregs
+ || regs[subexp_idx].rm_so == -1
+ || regs[subexp_idx].rm_eo == -1)
return -1;
else if (naccepted)
{
--
2.23.0
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."