Re: regcomp() signedness issues

[RVP <rvp%SDF.ORG@localhost>]

On Sat, 28 Dec 2024, Christos Zoulas wrote:

> In article <CAJgzZooHNebuUuEYghmrAYn+uh425PSYDSgge0BvaXnCeKGd5A%mail.gmail.com@localhost>,
> enh  <enh%google.com@localhost> wrote:
> > -=-=-=-=-=-
> >
> > a trivial fuzzer someone once wrote blew up on this input to regcomp()
> > [passed directly to regcomp() after adding a trailing '\0']:
> >
> > xxd
> > ~~/Downloads/clusterfuzz-testcase-minimized-regexec_fuzzer-5459313584832512
> > 00000000: 6a3a 5b5d 6a3a 5b5d 6a3a 5bd9 6a3a 5b5d  j:[]j:[]j:[.j:[]
>
> I can't reproduce this in current:
>
> 	if ((e = regcomp(&re, "j:[]j:[]j:[.j:[]", REG_EXTENDED)) != 0) {

Ah, I see what's wrong: it's 0xD9 instead of 0x2E (.) in the pattern.

```
$ cat g.c
/**

 Compile regex sources w/o -DNLS:

 cc -I/usr/src/include -I/usr/src/tools/compat \
	-I/usr/tools/include/compat -g -o g g.c \
	/usr/src/lib/libc/regex/reg*.c

*/

#include <err.h>
#include <regex.h>

int main(void) {
	char* pat = "j:[]j:[]j:[\xD9j:[]";	/* \xD9, not \x2E (.) */
	regex_t re;
	int e;

	if ((e = regcomp(&re, pat, REG_EXTENDED)) != 0)
		err(1, "regcomp() failed");
	regfree(&re);
	return 0;
}
$ cc [...] -g -o g g.c [...]
$ ./g
./g
Segmentation fault (core dumped)
$ gdb g g.core
GNU gdb (GDB) 15.1
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64--netbsd".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from g...
[New process 3956]
Core was generated by `g'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000405454 in CHadd (p=0x7f7fffffe2d0, cs=0x7f7ff7a90058, ch=-39) at /usr/src/lib/libc/regex/regcomp.c:1769
1769                    cs->bmp[(unsigned)ch >> 3] |= 1 << (ch & 7);
(gdb) 
```

This is just PR bin/58092 (AKA lib/58910).

-RVP