aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlin Nastac <alin.nastac@gmail.com>2019-11-21 14:06:18 +0100
committerPetr Štetiar <ynezz@true.cz>2019-11-30 00:53:36 +0100
commit839bc1e15ed5c0e00a68c95798b47ae0e279e4e9 (patch)
tree891fca78cb1ff214cfd63ead7d81d25691fb24f9
parentca7f1ef575749e3e77961a86b00d9c5cbb9cab04 (diff)
downloadupstream-839bc1e15ed5c0e00a68c95798b47ae0e279e4e9.tar.gz
upstream-839bc1e15ed5c0e00a68c95798b47ae0e279e4e9.tar.bz2
upstream-839bc1e15ed5c0e00a68c95798b47ae0e279e4e9.zip
glibc: backport fix for regexec buffer read overrun
Problem found by AddressSanitizer[1]: Latest `grep` (git commit 1019e6e) compiled with asan may cause a heap-buffer-overflow when `-i` is specified. ./grep -i '\(\(\)*.\)*\(\)\(\)\1' /bin/chvt ================================================================= ==16206==ERROR: AddressSanitizer: heap-buffer-overflow on address 1. https://debbugs.gnu.org/34140 Ref: https://sourceware.org/bugzilla/show_bug.cgi?id=24114 Signed-off-by: Alin Nastac <alin.nastac@gmail.com> [commit title and description facelift] Signed-off-by: Petr Štetiar <ynezz@true.cz>
-rw-r--r--toolchain/glibc/patches/001-regex-read-overrun.patch26
1 files changed, 26 insertions, 0 deletions
diff --git a/toolchain/glibc/patches/001-regex-read-overrun.patch b/toolchain/glibc/patches/001-regex-read-overrun.patch
new file mode 100644
index 0000000000..c4e4307aa6
--- /dev/null
+++ b/toolchain/glibc/patches/001-regex-read-overrun.patch
@@ -0,0 +1,26 @@
+commit 583dd860d5b833037175247230a328f0050dbfe9
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon Jan 21 11:08:13 2019 -0800
+
+ regex: fix read overrun [BZ #24114]
+
+ Problem found by AddressSanitizer, reported by Hongxu Chen in:
+ https://debbugs.gnu.org/34140
+ * posix/regexec.c (proceed_next_node):
+ Do not read past end of input buffer.
+
+--- a/posix/regexec.c
++++ b/posix/regexec.c
+@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
+ else if (naccepted)
+ {
+ char *buf = (char *) re_string_get_buffer (&mctx->input);
+- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+- naccepted) != 0)
++ if (mctx->input.valid_len - *pidx < naccepted
++ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
++ naccepted)
++ != 0))
+ return -1;
+ }
+ }