From 1f410c73aaa09f0990f20a0fe3c1ecb1af7c352b Mon Sep 17 00:00:00 2001
From: tjr <tjr@FreeBSD.org>
Date: Sun, 21 Nov 2004 03:14:32 +0000
Subject: Fix computation of the 'n' argument to mbrtowc (through XMBRTOWC) to
 avoid reading past 'stop' in various places when converting multibyte
 characters. Reading too far caused truncation to not be detected when it
 should have been, eventually causing regexec() to loop infinitely in with
 certain combinations of patterns and strings in multibyte locales.

PR:		74020
MFC after:	4 weeks
---
 lib/libc/regex/engine.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'lib/libc/regex')

diff --git a/lib/libc/regex/engine.c b/lib/libc/regex/engine.c
index e6484ef..f97a79b 100644
--- a/lib/libc/regex/engine.c
+++ b/lib/libc/regex/engine.c
@@ -331,7 +331,7 @@ int eflags;
 		NOTE("false alarm");
 		/* recycle starting later */
 		start = m->coldp + XMBRTOWC(NULL, m->coldp,
-		    m->endp - m->coldp, &m->mbs, 0);
+		    stop - m->coldp, &m->mbs, 0);
 		assert(start <= stop);
 	}
 
@@ -807,7 +807,7 @@ sopno stopst;
 		if (p == m->endp)
 			c = OUT;
 		else
-			clen = XMBRTOWC(&c, p, m->endp - p, &m->mbs, BADCHAR);
+			clen = XMBRTOWC(&c, p, stop - p, &m->mbs, BADCHAR);
 		if (EQ(st, fresh))
 			coldp = p;
 
@@ -861,7 +861,7 @@ sopno stopst;
 	assert(coldp != NULL);
 	m->coldp = coldp;
 	if (ISSET(st, stopst))
-		return(p+XMBRTOWC(NULL, p, m->endp - p, &m->mbs, 0));
+		return(p+XMBRTOWC(NULL, p, stop - p, &m->mbs, 0));
 	else
 		return(NULL);
 }
@@ -913,7 +913,7 @@ sopno stopst;
 			c = OUT;
 			clen = 0;
 		} else
-			clen = XMBRTOWC(&c, p, m->endp - p, &m->mbs, BADCHAR);
+			clen = XMBRTOWC(&c, p, stop - p, &m->mbs, BADCHAR);
 
 		/* is there an EOL and/or BOL between lastc and c? */
 		flagch = '\0';
-- 
cgit v1.1