]> sourceware.org Git - glibc.git/commitdiff
Fix array bounds violation in regex matcher (bug 25149)
authorAndreas Schwab <schwab@suse.de>
Wed, 30 Oct 2019 09:38:36 +0000 (10:38 +0100)
committerAndreas Schwab <schwab@suse.de>
Mon, 11 Nov 2019 11:24:59 +0000 (12:24 +0100)
If the regex has more subexpressions than the number of elements allocated
in the regmatch_t array passed to regexec then proceed_next_node may
access the regmatch_t array outside its bounds.

No testcase added because even without this bug it would then crash in
pop_fail_stack which is bug 11053.

posix/regexec.c

index 3c46ac81dd64dff9fc03a0ce7402b251858a04a8..38b6d6719ade4241ccffc2608ae0d34a77ac1b69 100644 (file)
@@ -1266,10 +1266,13 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
       if (type == OP_BACK_REF)
        {
          Idx subexp_idx = dfa->nodes[node].opr.idx + 1;
-         naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
+         if (subexp_idx < nregs)
+           naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
          if (fs != NULL)
            {
-             if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1)
+             if (subexp_idx >= nregs
+                 || regs[subexp_idx].rm_so == -1
+                 || regs[subexp_idx].rm_eo == -1)
                return -1;
              else if (naccepted)
                {
This page took 0.044667 seconds and 5 git commands to generate.