MFC r325066:

Fix out-of-bounds read in libc/regex. The bug is an out-of-bounds read detected with address sanitizer that happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's equal to "GS\x00". In that case len will be equal to 4, and the strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the cp->name[len] == '\0' comparison will cause the read to go out-of-bounds. Checking the length using strlen() instead eliminates the issue. The bug was found in LLVM with oss-fuzz: https://reviews.llvm.org/D39380 Obtained from: Vlad Tsyrklevich through posting on openbsd-tech
author: pfg <pfg@FreeBSD.org> 2017-11-04 14:44:07 +0000
committer: pfg <pfg@FreeBSD.org> 2017-11-04 14:44:07 +0000
commit: d27785b10fa4530fa6a277262ab105a6b0d17c42 (patch)
tree: 7a504889d6b3eb02fc3e56a9d28c9222ebcb4838 /lib
parent: 82f5d2b57b15a5b32a92f60b020667eeaafd3272 (diff)
download: FreeBSD-src-d27785b10fa4530fa6a277262ab105a6b0d17c42.zip
FreeBSD-src-d27785b10fa4530fa6a277262ab105a6b0d17c42.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c
index b9e67c6..1967ff1 100644
--- a/lib/libc/regex/regcomp.c
+++ b/lib/libc/regex/regcomp.c
@@ -921,7 +921,7 @@ p_b_coll_elem(struct parse *p,
 	}
 	len = p->next - sp;
 	for (cp = cnames; cp->name != NULL; cp++)
-		if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
+		if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len)
 			return(cp->code);	/* known name */
 	memset(&mbs, 0, sizeof(mbs));
 	if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len)
author	pfg <pfg@FreeBSD.org>	2017-11-04 14:44:07 +0000
committer	pfg <pfg@FreeBSD.org>	2017-11-04 14:44:07 +0000
commit	d27785b10fa4530fa6a277262ab105a6b0d17c42 (patch)
tree	7a504889d6b3eb02fc3e56a9d28c9222ebcb4838 /lib
parent	82f5d2b57b15a5b32a92f60b020667eeaafd3272 (diff)
download	FreeBSD-src-d27785b10fa4530fa6a277262ab105a6b0d17c42.zip FreeBSD-src-d27785b10fa4530fa6a277262ab105a6b0d17c42.tar.gz