From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 28 Aug 2018 19:54:28 +0000 (+0200)
Subject: regex: fix uninitialized memory access
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58559f14437d2aa71753a29fed435efa06aa4576;p=thirdparty%2Fglibc.git

regex: fix uninitialized memory access

I introduced this bug into gnulib in commit
8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10;
eventually it was merged into glibc.  The bug was found by
project-repo <bugs@feusi.co> and reported here:
https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html
Diagnosis and draft fix reported by Assaf Gordon here:
https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html
https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html
* posix/regex_internal.c (build_wcs_upper_buffer):
Fix bug when mbrtowc returns 0.

(cherry picked from commit bc680b336971305cb39896b30d72dc7101b62242)
---

diff --git a/ChangeLog b/ChangeLog
index ef837778331..8625e6c9f54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2018-08-25  Paul Eggert  <eggert@cs.ucla.edu>
+
+	[BZ #23578]
+	regex: fix uninitialized memory access
+	I introduced this bug into gnulib in commit
+	8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10;
+	eventually it was merged into glibc.  The bug was found by
+	project-repo <bugs@feusi.co> and reported here:
+	https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html
+	Diagnosis and draft fix reported by Assaf Gordon here:
+	https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html
+	https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html
+	* posix/regex_internal.c (build_wcs_upper_buffer):
+	Fix bug when mbrtowc returns 0.
+
 2018-08-27 Martin Kuchta  <martin.kuchta@netapp.com>
 	   Torvald Riegel  <triegel@redhat.com>
 
diff --git a/NEWS b/NEWS
index 3073712cbac..2855ffde584 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ The following bugs are resolved with this release:
   [23497] readdir64@GLIBC_2.1 cannot parse the kernel directory stream
   [23521] nss_files aliases database file stream leak
   [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
+  [23578] regex: Fix memory overread in re_compile_pattern
 
 
 Version 2.28
diff --git a/posix/regex_internal.c b/posix/regex_internal.c
index 7f0083b918d..b10588f1ccb 100644
--- a/posix/regex_internal.c
+++ b/posix/regex_internal.c
@@ -317,7 +317,7 @@ build_wcs_upper_buffer (re_string_t *pstr)
 	  mbclen = __mbrtowc (&wc,
 			      ((const char *) pstr->raw_mbs + pstr->raw_mbs_idx
 			       + byte_idx), remain_len, &pstr->cur_state);
-	  if (BE (mbclen < (size_t) -2, 1))
+	  if (BE (0 < mbclen && mbclen < (size_t) -2, 1))
 	    {
 	      wchar_t wcu = __towupper (wc);
 	      if (wcu != wc)
@@ -386,7 +386,7 @@ build_wcs_upper_buffer (re_string_t *pstr)
 	else
 	  p = (const char *) pstr->raw_mbs + pstr->raw_mbs_idx + src_idx;
 	mbclen = __mbrtowc (&wc, p, remain_len, &pstr->cur_state);
-	if (BE (mbclen < (size_t) -2, 1))
+	if (BE (0 < mbclen && mbclen < (size_t) -2, 1))
 	  {
 	    wchar_t wcu = __towupper (wc);
 	    if (wcu != wc)