diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2019-02-05 19:38:38 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2019-02-05 19:38:38 +0000 |
commit | 55bbd64aec4aee727288e6ff8dde1404d554c10c (patch) | |
tree | e2753ec92f483a739e5022e539f011117b38a317 /lib/libc/regex | |
parent | 120e6b552c34597812e11d0548ee94172573dc22 (diff) |
Avoid an out of bounds read when regcomp() is passed a bad expression.
When an invalid regular expression is passed, seterr() is called which
sets p->error to the appropriate error code and sets p->next and
p->end to nuls[]. However, p->next is decremented in the default
case in p_ere_exp() and p_simp_re() which makes it point to one
byte before nuls[]. From FreeBSD. OK tedu@ deraadt@
Diffstat (limited to 'lib/libc/regex')
-rw-r--r-- | lib/libc/regex/regcomp.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c index 19c86cc4c39..6e63550185d 100644 --- a/lib/libc/regex/regcomp.c +++ b/lib/libc/regex/regcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: regcomp.c,v 1.32 2017/10/30 06:48:20 otto Exp $ */ +/* $OpenBSD: regcomp.c,v 1.33 2019/02/05 19:38:37 millert Exp $ */ /*- * Copyright (c) 1992, 1993, 1994 Henry Spencer. * Copyright (c) 1992, 1993, 1994 @@ -353,6 +353,8 @@ p_ere_exp(struct parse *p) REQUIRE(!MORE() || !isdigit((uch)PEEK()), REG_BADRPT); /* FALLTHROUGH */ default: + if (p->error != 0) + return; ordinary(p, c); break; } @@ -555,6 +557,8 @@ p_simp_re(struct parse *p, REQUIRE(starordinary, REG_BADRPT); /* FALLTHROUGH */ default: + if (p->error != 0) + return; ordinary(p, (char)c); break; } |