Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/lib/libc/regex Fix OOB read from FreeBSD:
details: https://anonhg.NetBSD.org/src/rev/2729f0d20a4a
branches: trunk
changeset: 448721:2729f0d20a4a
user: christos <christos%NetBSD.org@localhost>
date: Thu Feb 07 22:13:52 2019 +0000
description:
Fix OOB read from FreeBSD:
The bug is an out-of-bounds read detected with address sanitizer that
happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's
equal to "GS\x00". In that case len will be equal to 4, and the
strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the
cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.
Checking the length using strlen() instead eliminates the issue.
The bug was found in LLVM with oss-fuzz:
https://reviews.llvm.org/D39380
diffstat:
lib/libc/regex/regcomp.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diffs (27 lines):
diff -r e5b7927f9ece -r 2729f0d20a4a lib/libc/regex/regcomp.c
--- a/lib/libc/regex/regcomp.c Thu Feb 07 21:53:50 2019 +0000
+++ b/lib/libc/regex/regcomp.c Thu Feb 07 22:13:52 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: regcomp.c,v 1.36 2015/09/12 19:08:47 christos Exp $ */
+/* $NetBSD: regcomp.c,v 1.37 2019/02/07 22:13:52 christos Exp $ */
/*-
* Copyright (c) 1992, 1993, 1994
@@ -76,7 +76,7 @@
#if 0
static char sccsid[] = "@(#)regcomp.c 8.5 (Berkeley) 3/20/94";
#else
-__RCSID("$NetBSD: regcomp.c,v 1.36 2015/09/12 19:08:47 christos Exp $");
+__RCSID("$NetBSD: regcomp.c,v 1.37 2019/02/07 22:13:52 christos Exp $");
#endif
#endif /* LIBC_SCCS and not lint */
@@ -1007,7 +1007,7 @@
}
len = p->next - sp;
for (cp = cnames; cp->name != NULL; cp++)
- if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
+ if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len)
return(cp->code); /* known name */
if (len == 1)
return(*sp); /* single character */
Home |
Main Index |
Thread Index |
Old Index