[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 1/2] regex: fix buffer overrun in regexp matcher
From: |
Paul Eggert |
Subject: |
[PATCH 1/2] regex: fix buffer overrun in regexp matcher |
Date: |
Tue, 29 Jan 2013 22:38:57 -0800 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2 |
* lib/regexec.c (extend_buffers): Add parameter min_len.
(check_matching): Pass minimum needed length.
(clean_state_log_if_needed): Likewise.
(get_subexp): Likewise.
---
ChangeLog | 8 ++++++++
lib/regexec.c | 16 +++++++++-------
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 9145f2f..ab95829 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2013-01-29 Andreas Schwab <address@hidden>
+
+ regex: fix buffer overrun in regexp matcher
+ * lib/regexec.c (extend_buffers): Add parameter min_len.
+ (check_matching): Pass minimum needed length.
+ (clean_state_log_if_needed): Likewise.
+ (get_subexp): Likewise.
+
2013-01-28 Pádraig Brady <address@hidden>
mountlist: don't consider "devtmpfs" as dummy
diff --git a/lib/regexec.c b/lib/regexec.c
index 41ac4d4..1bd1640 100644
--- a/lib/regexec.c
+++ b/lib/regexec.c
@@ -199,7 +199,7 @@ static Idx group_nodes_into_DFAstates (const re_dfa_t *dfa,
static bool check_node_accept (const re_match_context_t *mctx,
const re_token_t *node, Idx idx)
internal_function;
-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
internal_function;
/* Entry point for POSIX code. */
@@ -1176,7 +1176,7 @@ check_matching (re_match_context_t *mctx, bool
fl_longest_match,
|| (BE (next_char_idx >= mctx->input.valid_len, 0)
&& mctx->input.valid_len < mctx->input.len))
{
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_char_idx + 1);
if (BE (err != REG_NOERROR, 0))
{
assert (err == REG_ESPACE);
@@ -1756,7 +1756,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, Idx
next_state_log_idx)
&& mctx->input.valid_len < mctx->input.len))
{
reg_errcode_t err;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_state_log_idx + 1);
if (BE (err != REG_NOERROR, 0))
return err;
}
@@ -2813,7 +2813,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx
bkref_str_idx)
if (bkref_str_off >= mctx->input.len)
break;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, bkref_str_off + 1);
if (BE (err != REG_NOERROR, 0))
return err;
@@ -4128,7 +4128,7 @@ check_node_accept (const re_match_context_t *mctx, const
re_token_t *node,
static reg_errcode_t
internal_function __attribute_warn_unused_result__
-extend_buffers (re_match_context_t *mctx)
+extend_buffers (re_match_context_t *mctx, int min_len)
{
reg_errcode_t ret;
re_string_t *pstr = &mctx->input;
@@ -4138,8 +4138,10 @@ extend_buffers (re_match_context_t *mctx)
<= pstr->bufs_len, 0))
return REG_ESPACE;
- /* Double the lengths of the buffers. */
- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
+ /* Double the lengths of the buffers, but allocate at least MIN_LEN. */
+ ret = re_string_realloc_buffers (pstr,
+ MAX (min_len,
+ MIN (pstr->len, pstr->bufs_len * 2)));
if (BE (ret != REG_NOERROR, 0))
return ret;
--
1.7.11.7
- [PATCH 1/2] regex: fix buffer overrun in regexp matcher,
Paul Eggert <=