diff options
| author |   millert <millert@openbsd.org> | 2019-02-05 19:38:37 +0000 |
|---|---|---|
| committer | millert <millert@openbsd.org> | 2019-02-05 19:38:37 +0000 |
| commit | a89c4902254dfa1737ffc8886013879ba1d03c88 (patch) | |
| tree | ccc4c569f06eddfe9c66992b61e19f893d26398a /lib/libc | |
| parent | unref resolver in error branch (diff) | |
| download | wireguard-openbsd-a89c4902254dfa1737ffc8886013879ba1d03c88.tar.xz wireguard-openbsd-a89c4902254dfa1737ffc8886013879ba1d03c88.zip | |
Avoid an out of bounds read when regcomp() is passed a bad expression.
When an invalid regular expression is passed, seterr() is called which
sets p->error to the appropriate error code and sets p->next and
p->end to nuls[]. However, p->next is decremented in the default
case in p_ere_exp() and p_simp_re() which makes it point to one
byte before nuls[]. From FreeBSD. OK tedu@ deraadt@
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/regex/regcomp.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c index 19c86cc4c39..6e63550185d 100644 --- a/lib/libc/regex/regcomp.c +++ b/lib/libc/regex/regcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: regcomp.c,v 1.32 2017/10/30 06:48:20 otto Exp $ */ +/* $OpenBSD: regcomp.c,v 1.33 2019/02/05 19:38:37 millert Exp $ */ /*- * Copyright (c) 1992, 1993, 1994 Henry Spencer. * Copyright (c) 1992, 1993, 1994 @@ -353,6 +353,8 @@ p_ere_exp(struct parse *p) REQUIRE(!MORE() || !isdigit((uch)PEEK()), REG_BADRPT); /* FALLTHROUGH */ default: + if (p->error != 0) + return; ordinary(p, c); break; } @@ -555,6 +557,8 @@ p_simp_re(struct parse *p, REQUIRE(starordinary, REG_BADRPT); /* FALLTHROUGH */ default: + if (p->error != 0) + return; ordinary(p, (char)c); break; } |