Fix out-of-bounds read in libc/regex.

The bug is an out-of-bounds read detected with address sanitizer that happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's equal to "GS\x00". In that case len will be equal to 4, and the strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the cp->name[len] == '\0' comparison will cause the read to go out-of-bounds. Checking the length using strlen() instead eliminates the issue. The bug was found in LLVM with oss-fuzz: https://reviews.llvm.org/D39380 MFC after: 1 week Obtained from: Vlad Tsyrklevich through posting on openbsd-tech
svn path=/head/; revision=325066
2017-10-28 20:09:34 +00:00 · 2017-10-28 20:09:34 +00:00 · 0f23ab8aac · 2020-12-20 02:59:44 +00:00
commit 0f23ab8aac
parent 3faac3ea79
1 changed files with 1 additions and 1 deletions
--- a/lib/libc/regex/regcomp.c
+++ b/lib/libc/regex/regcomp.c
@ -1059,7 +1059,7 @@ p_b_coll_elem(struct parse *p,
 	}
 	len = p->next - sp;
 	for (cp = cnames; cp->name != NULL; cp++)
-		if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
+		if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len)
 			return(cp->code);	/* known name */
 	memset(&mbs, 0, sizeof(mbs));
 	if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len)