Fix out-of-bounds read in libc/regex.
The bug is an out-of-bounds read detected with address sanitizer that happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's equal to "GS\x00". In that case len will be equal to 4, and the strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the cp->name[len] == '\0' comparison will cause the read to go out-of-bounds. Checking the length using strlen() instead eliminates the issue. The bug was found in LLVM with oss-fuzz: https://reviews.llvm.org/D39380 MFC after: 1 week Obtained from: Vlad Tsyrklevich through posting on openbsd-tech
This commit is contained in:
parent
3faac3ea79
commit
0f23ab8aac
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=325066
@ -1059,7 +1059,7 @@ p_b_coll_elem(struct parse *p,
|
||||
}
|
||||
len = p->next - sp;
|
||||
for (cp = cnames; cp->name != NULL; cp++)
|
||||
if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
|
||||
if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len)
|
||||
return(cp->code); /* known name */
|
||||
memset(&mbs, 0, sizeof(mbs));
|
||||
if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len)
|
||||
|
Loading…
Reference in New Issue
Block a user