libc/regex: fix two buffer underruns.

Fix some rather complex regex issues found on OpenBSD as part of some ongoing work to fix a sed(1) bug. Curiously the OpenBSD tests don't trigger segfaults on FreeBSD but the bugs were confirmed by running a port of FreeBSD's regex under OpenBSD's malloc. Huge thanks to Ingo for confirming the behavior. Taken from: Ingo Schwarze (through openbsd-tech 2016-05-15) MFC after: 1 week
2016-05-21 19:54:10 +00:00 · 2016-05-21 19:54:10 +00:00 · e9fe9edde7
commit e9fe9edde7
parent c515200599
1 changed files with 6 additions and 9 deletions
--- a/lib/libc/regex/engine.c
+++ b/lib/libc/regex/engine.c
@ -606,9 +606,9 @@ backref(struct match *m,
 				return(NULL);
 			break;
 		case OBOL:
-			if ( (sp == m->beginp && !(m->eflags&REG_NOTBOL)) ||
-					(sp < m->endp && *(sp-1) == '\n' &&
-						(m->g->cflags&REG_NEWLINE)) )
+			if ((sp == m->beginp && !(m->eflags&REG_NOTBOL)) ||
+			    (sp > m->offp && sp < m->endp &&
+			    *(sp-1) == '\n' && (m->g->cflags&REG_NEWLINE)))
 				{ /* yes */ }
 			else
 				return(NULL);
@ -622,12 +622,9 @@ backref(struct match *m,
 				return(NULL);
 			break;
 		case OBOW:
-			if (( (sp == m->beginp && !(m->eflags&REG_NOTBOL)) ||
-					(sp < m->endp && *(sp-1) == '\n' &&
-						(m->g->cflags&REG_NEWLINE)) ||
-					(sp > m->beginp &&
-							!ISWORD(*(sp-1))) ) &&
-					(sp < m->endp && ISWORD(*sp)) )
+			if (sp < m->endp && ISWORD(*sp) &&
+			    ((sp == m->beginp && !(m->eflags&REG_NOTBOL)) ||
+			    (sp > m->offp && !ISWORD(*(sp-1)))))
 				{ /* yes */ }
 			else
 				return(NULL);