summaryrefslogtreecommitdiff
path: root/lib/libc/regex
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2019-02-05 19:38:38 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2019-02-05 19:38:38 +0000
commit55bbd64aec4aee727288e6ff8dde1404d554c10c (patch)
treee2753ec92f483a739e5022e539f011117b38a317 /lib/libc/regex
parent120e6b552c34597812e11d0548ee94172573dc22 (diff)
Avoid an out of bounds read when regcomp() is passed a bad expression.
When an invalid regular expression is passed, seterr() is called which sets p->error to the appropriate error code and sets p->next and p->end to nuls[]. However, p->next is decremented in the default case in p_ere_exp() and p_simp_re() which makes it point to one byte before nuls[]. From FreeBSD. OK tedu@ deraadt@
Diffstat (limited to 'lib/libc/regex')
-rw-r--r--lib/libc/regex/regcomp.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c
index 19c86cc4c39..6e63550185d 100644
--- a/lib/libc/regex/regcomp.c
+++ b/lib/libc/regex/regcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: regcomp.c,v 1.32 2017/10/30 06:48:20 otto Exp $ */
+/* $OpenBSD: regcomp.c,v 1.33 2019/02/05 19:38:37 millert Exp $ */
/*-
* Copyright (c) 1992, 1993, 1994 Henry Spencer.
* Copyright (c) 1992, 1993, 1994
@@ -353,6 +353,8 @@ p_ere_exp(struct parse *p)
REQUIRE(!MORE() || !isdigit((uch)PEEK()), REG_BADRPT);
/* FALLTHROUGH */
default:
+ if (p->error != 0)
+ return;
ordinary(p, c);
break;
}
@@ -555,6 +557,8 @@ p_simp_re(struct parse *p,
REQUIRE(starordinary, REG_BADRPT);
/* FALLTHROUGH */
default:
+ if (p->error != 0)
+ return;
ordinary(p, (char)c);
break;
}