]>
Commit | Line | Data |
---|---|---|
12788f63 MT |
1 | commit f3a6cc0a560a17f32a3e90d2f20501a53cab6058 |
2 | Author: Andreas Schwab <schwab@redhat.com> | |
3 | Date: Tue Nov 29 10:52:22 2011 +0100 | |
4 | ||
5 | Fix access after end of search string in regex matcher | |
6 | ||
7 | diff --git a/locale/weight.h b/locale/weight.h | |
8 | index dc70a00..967e176 100644 | |
9 | --- a/locale/weight.h | |
10 | +++ b/locale/weight.h | |
11 | @@ -1,4 +1,4 @@ | |
12 | -/* Copyright (C) 1996,1997,1998,1999,2000,2003,2004 Free Software Foundation, Inc. | |
13 | +/* Copyright (C) 1996,1997,1998,1999,2000,2003,2004,2011 Free Software Foundation, Inc. | |
14 | This file is part of the GNU C Library. | |
15 | Written by Ulrich Drepper, <drepper@cygnus.com>. | |
16 | ||
17 | @@ -20,7 +20,7 @@ | |
18 | /* Find index of weight. */ | |
19 | auto inline int32_t | |
20 | __attribute ((always_inline)) | |
21 | -findidx (const unsigned char **cpp) | |
22 | +findidx (const unsigned char **cpp, size_t len) | |
23 | { | |
24 | int_fast32_t i = table[*(*cpp)++]; | |
25 | const unsigned char *cp; | |
26 | @@ -34,6 +34,7 @@ findidx (const unsigned char **cpp) | |
27 | Search for the correct one. */ | |
28 | cp = &extra[-i]; | |
29 | usrc = *cpp; | |
30 | + --len; | |
31 | while (1) | |
32 | { | |
33 | size_t nhere; | |
34 | @@ -56,7 +57,7 @@ findidx (const unsigned char **cpp) | |
35 | already. */ | |
36 | size_t cnt; | |
37 | ||
38 | - for (cnt = 0; cnt < nhere; ++cnt) | |
39 | + for (cnt = 0; cnt < nhere && cnt < len; ++cnt) | |
40 | if (cp[cnt] != usrc[cnt]) | |
41 | break; | |
42 | ||
43 | @@ -79,13 +80,13 @@ findidx (const unsigned char **cpp) | |
44 | size_t cnt; | |
45 | size_t offset = 0; | |
46 | ||
47 | - for (cnt = 0; cnt < nhere; ++cnt) | |
48 | + for (cnt = 0; cnt < nhere && cnt < len; ++cnt) | |
49 | if (cp[cnt] != usrc[cnt]) | |
50 | break; | |
51 | ||
52 | if (cnt != nhere) | |
53 | { | |
54 | - if (cp[cnt] > usrc[cnt]) | |
55 | + if (cnt == len || cp[cnt] > usrc[cnt]) | |
56 | { | |
57 | /* Cannot be in this range. */ | |
58 | cp += 2 * nhere; | |
59 | diff --git a/locale/weightwc.h b/locale/weightwc.h | |
60 | index 9ea1126..7862091 100644 | |
61 | --- a/locale/weightwc.h | |
62 | +++ b/locale/weightwc.h | |
63 | @@ -1,4 +1,4 @@ | |
64 | -/* Copyright (C) 1996-2001,2003,2004,2005,2007 Free Software Foundation, Inc. | |
65 | +/* Copyright (C) 1996-2001,2003,2004,2005,2007,2011 Free Software Foundation, Inc. | |
66 | This file is part of the GNU C Library. | |
67 | Written by Ulrich Drepper, <drepper@cygnus.com>. | |
68 | ||
69 | @@ -20,7 +20,7 @@ | |
70 | /* Find index of weight. */ | |
71 | auto inline int32_t | |
72 | __attribute ((always_inline)) | |
73 | -findidx (const wint_t **cpp) | |
74 | +findidx (const wint_t **cpp, size_t len) | |
75 | { | |
76 | wint_t ch = *(*cpp)++; | |
77 | int32_t i = __collidx_table_lookup ((const char *) table, ch); | |
78 | @@ -32,6 +32,7 @@ findidx (const wint_t **cpp) | |
79 | /* Oh well, more than one sequence starting with this byte. | |
80 | Search for the correct one. */ | |
81 | const int32_t *cp = (const int32_t *) &extra[-i]; | |
82 | + --len; | |
83 | while (1) | |
84 | { | |
85 | size_t nhere; | |
86 | @@ -54,7 +55,7 @@ findidx (const wint_t **cpp) | |
87 | already. */ | |
88 | size_t cnt; | |
89 | ||
90 | - for (cnt = 0; cnt < nhere; ++cnt) | |
91 | + for (cnt = 0; cnt < nhere && cnt < len; ++cnt) | |
92 | if (cp[cnt] != usrc[cnt]) | |
93 | break; | |
94 | ||
95 | @@ -75,7 +76,7 @@ findidx (const wint_t **cpp) | |
96 | size_t cnt; | |
97 | size_t offset; | |
98 | ||
99 | - for (cnt = 0; cnt < nhere - 1; ++cnt) | |
100 | + for (cnt = 0; cnt < nhere - 1 && cnt < len; ++cnt) | |
101 | if (cp[cnt] != usrc[cnt]) | |
102 | break; | |
103 | ||
104 | diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c | |
105 | index 18a6667..72bd3ee 100644 | |
106 | --- a/posix/fnmatch_loop.c | |
107 | +++ b/posix/fnmatch_loop.c | |
108 | @@ -412,7 +412,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used) | |
109 | _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); | |
110 | # endif | |
111 | ||
112 | - idx = findidx (&cp); | |
113 | + idx = findidx (&cp, 1); | |
114 | if (idx != 0) | |
115 | { | |
116 | /* We found a table entry. Now see whether the | |
117 | @@ -422,7 +422,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used) | |
118 | int32_t idx2; | |
119 | const UCHAR *np = (const UCHAR *) n; | |
120 | ||
121 | - idx2 = findidx (&np); | |
122 | + idx2 = findidx (&np, string_end - n); | |
123 | if (idx2 != 0 | |
124 | && (idx >> 24) == (idx2 >> 24) | |
125 | && len == weights[idx2 & 0xffffff]) | |
126 | diff --git a/posix/regcomp.c b/posix/regcomp.c | |
127 | index b238c08..34ee845 100644 | |
128 | --- a/posix/regcomp.c | |
129 | +++ b/posix/regcomp.c | |
130 | @@ -1,5 +1,5 @@ | |
131 | /* Extended regular expression matching and search library. | |
132 | - Copyright (C) 2002-2007,2009,2010 Free Software Foundation, Inc. | |
133 | + Copyright (C) 2002-2007,2009,2010,2011 Free Software Foundation, Inc. | |
134 | This file is part of the GNU C Library. | |
135 | Contributed by Isamu Hasegawa <isamu@yamato.ibm.com>. | |
136 | ||
137 | @@ -3409,19 +3409,18 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name) | |
138 | _NL_COLLATE_EXTRAMB); | |
139 | indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, | |
140 | _NL_COLLATE_INDIRECTMB); | |
141 | - idx1 = findidx (&cp); | |
142 | - if (BE (idx1 == 0 || cp < name + strlen ((const char *) name), 0)) | |
143 | + idx1 = findidx (&cp, -1); | |
144 | + if (BE (idx1 == 0 || *cp != '\0', 0)) | |
145 | /* This isn't a valid character. */ | |
146 | return REG_ECOLLATE; | |
147 | ||
148 | /* Build single byte matcing table for this equivalence class. */ | |
149 | - char_buf[1] = (unsigned char) '\0'; | |
150 | len = weights[idx1 & 0xffffff]; | |
151 | for (ch = 0; ch < SBC_MAX; ++ch) | |
152 | { | |
153 | char_buf[0] = ch; | |
154 | cp = char_buf; | |
155 | - idx2 = findidx (&cp); | |
156 | + idx2 = findidx (&cp, 1); | |
157 | /* | |
158 | idx2 = table[ch]; | |
159 | */ | |
160 | ||
161 | --- a/posix/regex_internal.h 2011-11-30 12:47:02.706567482 -0700 | |
162 | +++ a/posix/regex_internal.h 2011-11-30 12:47:32.969558337 -0700 | |
163 | @@ -756,7 +756,7 @@ | |
164 | indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, | |
165 | _NL_COLLATE_INDIRECTMB); | |
166 | p = pstr->mbs + idx; | |
167 | - tmp = findidx (&p); | |
168 | + tmp = findidx (&p, pstr->len - idx); | |
169 | return p - pstr->mbs - idx; | |
170 | } | |
171 | else | |
172 | diff --git a/posix/regexec.c b/posix/regexec.c | |
173 | index 9e0c565..3ea810b 100644 | |
174 | --- a/posix/regexec.c | |
175 | +++ b/posix/regexec.c | |
176 | @@ -3924,7 +3924,7 @@ check_node_accept_bytes (const re_dfa_t *dfa, int node_idx, | |
177 | _NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAMB); | |
178 | indirect = (const int32_t *) | |
179 | _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); | |
180 | - int32_t idx = findidx (&cp); | |
181 | + int32_t idx = findidx (&cp, elem_len); | |
182 | if (idx > 0) | |
183 | for (i = 0; i < cset->nequiv_classes; ++i) | |
184 | { | |
185 | diff --git a/string/strcoll_l.c b/string/strcoll_l.c | |
186 | index d8d1139..fb77d08 100644 | |
187 | --- a/string/strcoll_l.c | |
188 | +++ b/string/strcoll_l.c | |
189 | @@ -1,4 +1,4 @@ | |
190 | -/* Copyright (C) 1995-1997,2002,2004,2007,2010 Free Software Foundation, Inc. | |
191 | +/* Copyright (C) 1995-1997,2002,2004,2007,2010,2011 Free Software Foundation, Inc. | |
192 | This file is part of the GNU C Library. | |
193 | Written by Ulrich Drepper <drepper@gnu.org>, 1995. | |
194 | ||
195 | @@ -205,7 +205,7 @@ STRCOLL (s1, s2, l) | |
196 | ||
197 | while (*us1 != L('\0')) | |
198 | { | |
199 | - int32_t tmp = findidx (&us1); | |
200 | + int32_t tmp = findidx (&us1, -1); | |
201 | rule1arr[idx1max] = tmp >> 24; | |
202 | idx1arr[idx1max] = tmp & 0xffffff; | |
203 | idx1cnt = idx1max++; | |
204 | @@ -267,7 +267,7 @@ STRCOLL (s1, s2, l) | |
205 | ||
206 | while (*us2 != L('\0')) | |
207 | { | |
208 | - int32_t tmp = findidx (&us2); | |
209 | + int32_t tmp = findidx (&us2, -1); | |
210 | rule2arr[idx2max] = tmp >> 24; | |
211 | idx2arr[idx2max] = tmp & 0xffffff; | |
212 | idx2cnt = idx2max++; | |
213 | diff --git a/string/strxfrm_l.c b/string/strxfrm_l.c | |
214 | index 220253c..b06556d 100644 | |
215 | --- a/string/strxfrm_l.c | |
216 | +++ b/string/strxfrm_l.c | |
217 | @@ -176,7 +176,7 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l) | |
218 | idxmax = 0; | |
219 | do | |
220 | { | |
221 | - int32_t tmp = findidx (&usrc); | |
222 | + int32_t tmp = findidx (&usrc, -1); | |
223 | rulearr[idxmax] = tmp >> 24; | |
224 | idxarr[idxmax] = tmp & 0xffffff; | |
225 |