diff options
author | pfg <pfg@FreeBSD.org> | 2017-11-04 14:44:07 +0000 |
---|---|---|
committer | pfg <pfg@FreeBSD.org> | 2017-11-04 14:44:07 +0000 |
commit | d27785b10fa4530fa6a277262ab105a6b0d17c42 (patch) | |
tree | 7a504889d6b3eb02fc3e56a9d28c9222ebcb4838 /lib | |
parent | 82f5d2b57b15a5b32a92f60b020667eeaafd3272 (diff) | |
download | FreeBSD-src-d27785b10fa4530fa6a277262ab105a6b0d17c42.zip FreeBSD-src-d27785b10fa4530fa6a277262ab105a6b0d17c42.tar.gz |
MFC r325066:
Fix out-of-bounds read in libc/regex.
The bug is an out-of-bounds read detected with address sanitizer that
happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's
equal to "GS\x00". In that case len will be equal to 4, and the
strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the
cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.
Checking the length using strlen() instead eliminates the issue.
The bug was found in LLVM with oss-fuzz:
https://reviews.llvm.org/D39380
Obtained from: Vlad Tsyrklevich through posting on openbsd-tech
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libc/regex/regcomp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c index b9e67c6..1967ff1 100644 --- a/lib/libc/regex/regcomp.c +++ b/lib/libc/regex/regcomp.c @@ -921,7 +921,7 @@ p_b_coll_elem(struct parse *p, } len = p->next - sp; for (cp = cnames; cp->name != NULL; cp++) - if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0') + if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len) return(cp->code); /* known name */ memset(&mbs, 0, sizeof(mbs)); if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len) |