diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2016-05-17 22:03:19 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2016-05-17 22:03:19 +0000 |
| commit | 2e0d3c090d56955872a792aad74c7e3b9ebb0c91 (patch) | |
| tree | ce87f5a200852361fd38d7485a3ffa24451f8a1f /lib/libc/regex | |
| parent | 116b6fec4cd7bb90f26b8168f0faabdfe0a5e7e7 (diff) | |
Fix a one-byte buffer underflow (read access only).
This change touches code that only runs when REG_BASIC is given and
the regular expression is anchored with ^ _and_ uses backreferences.
The segfault could only be triggered when the ^ anchor was inside
a leading () subexpression quantified with *.
OK martijn@
Patch also proofread by Pedro Giffuni <pfg at FreeBSD dot org>.
Diffstat (limited to 'lib/libc/regex')
| -rw-r--r-- | lib/libc/regex/engine.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/libc/regex/engine.c b/lib/libc/regex/engine.c index fe7b0ff9133..b21928bbf99 100644 --- a/lib/libc/regex/engine.c +++ b/lib/libc/regex/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.19 2015/12/28 23:01:22 mmcc Exp $ */ +/* $OpenBSD: engine.c,v 1.20 2016/05/17 22:03:18 schwarze Exp $ */ /*- * Copyright (c) 1992, 1993, 1994 Henry Spencer. @@ -506,9 +506,9 @@ backref(struct match *m, char *start, char *stop, sopno startst, sopno stopst, return(NULL); break; case OBOL: - if ( (sp == m->beginp && !(m->eflags®_NOTBOL)) || - (sp < m->endp && *(sp-1) == '\n' && - (m->g->cflags®_NEWLINE)) ) + if ((sp == m->beginp && !(m->eflags®_NOTBOL)) || + (sp > m->offp && sp < m->endp && + *(sp-1) == '\n' && (m->g->cflags®_NEWLINE))) { /* yes */ } else return(NULL); |