lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-29 11:41:21 +03:00
Code Activity

Fix access after end of search string in regex matcher

Browse Source
This commit is contained in:
Andreas Schwab
2011-11-29 10:52:22 +01:00
parent c5a0802a68
commit f3a6cc0a56
9 changed files with 34 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,3 +1,14 @@
2011-11-29 Andreas Schwab <schwab@redhat.com>
* locale/weight.h (findidx): Add parameter len.
* locale/weightwc.h (findidx): Likewise.
* posix/fnmatch_loop.c (FCT): Adjust caller.
* posix/regcomp.c (build_equiv_class): Likewise.
* posix/regex_internal.h (re_string_elem_size_at): Likewise.
* posix/regexec.c (check_node_accept_bytes): Likewise.
* string/strcoll_l.c (STRCOLL): Likewise.
* string/strxfrm_l.c (STRXFRM): Likewise.
2011-11-28 Andreas Schwab <schwab@redhat.com> 2011-11-28 Andreas Schwab <schwab@redhat.com>
* sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S: Handle * sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S: Handle

11
locale/weight.h
View File

@ -1,4 +1,4 @@
/* Copyright (C) 1996,1997,1998,1999,2000,2003,2004 Free Software Foundation, Inc. /* Copyright (C) 1996,1997,1998,1999,2000,2003,2004,2011 Free Software Foundation, Inc.
This file is part of the GNU C Library. This file is part of the GNU C Library.
Written by Ulrich Drepper, <drepper@cygnus.com>. Written by Ulrich Drepper, <drepper@cygnus.com>.
@ -20,7 +20,7 @@
/* Find index of weight. */ /* Find index of weight. */
auto inline int32_t auto inline int32_t
__attribute ((always_inline)) __attribute ((always_inline))
findidx (const unsigned char **cpp) findidx (const unsigned char **cpp, size_t len)
{ {
int_fast32_t i = table[*(*cpp)++]; int_fast32_t i = table[*(*cpp)++];
const unsigned char *cp; const unsigned char *cp;
@ -34,6 +34,7 @@ findidx (const unsigned char **cpp)
Search for the correct one. */ Search for the correct one. */
cp = &extra[-i]; cp = &extra[-i];
usrc = *cpp; usrc = *cpp;
--len;
while (1) while (1)
{ {
size_t nhere; size_t nhere;
@ -56,7 +57,7 @@ findidx (const unsigned char **cpp)
already. */ already. */
size_t cnt; size_t cnt;
for (cnt = 0; cnt < nhere; ++cnt) for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
if (cp[cnt] != usrc[cnt]) if (cp[cnt] != usrc[cnt])
break; break;
@ -79,13 +80,13 @@ findidx (const unsigned char **cpp)
size_t cnt; size_t cnt;
size_t offset = 0; size_t offset = 0;
for (cnt = 0; cnt < nhere; ++cnt) for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
if (cp[cnt] != usrc[cnt]) if (cp[cnt] != usrc[cnt])
break; break;
if (cnt != nhere) if (cnt != nhere)
{ {
if (cp[cnt] > usrc[cnt]) if (cnt == len || cp[cnt] > usrc[cnt])
{ {
/* Cannot be in this range. */ /* Cannot be in this range. */
cp += 2 * nhere; cp += 2 * nhere;

9
locale/weightwc.h
View File

@ -1,4 +1,4 @@
/* Copyright (C) 1996-2001,2003,2004,2005,2007 Free Software Foundation, Inc. /* Copyright (C) 1996-2001,2003,2004,2005,2007,2011 Free Software Foundation, Inc.
This file is part of the GNU C Library. This file is part of the GNU C Library.
Written by Ulrich Drepper, <drepper@cygnus.com>. Written by Ulrich Drepper, <drepper@cygnus.com>.
@ -20,7 +20,7 @@
/* Find index of weight. */ /* Find index of weight. */
auto inline int32_t auto inline int32_t
__attribute ((always_inline)) __attribute ((always_inline))
findidx (const wint_t **cpp) findidx (const wint_t **cpp, size_t len)
{ {
wint_t ch = *(*cpp)++; wint_t ch = *(*cpp)++;
int32_t i = __collidx_table_lookup ((const char *) table, ch); int32_t i = __collidx_table_lookup ((const char *) table, ch);
@ -32,6 +32,7 @@ findidx (const wint_t **cpp)
/* Oh well, more than one sequence starting with this byte. /* Oh well, more than one sequence starting with this byte.
Search for the correct one. */ Search for the correct one. */
const int32_t *cp = (const int32_t *) &extra[-i]; const int32_t *cp = (const int32_t *) &extra[-i];
--len;
while (1) while (1)
{ {
size_t nhere; size_t nhere;
@ -54,7 +55,7 @@ findidx (const wint_t **cpp)
already. */ already. */
size_t cnt; size_t cnt;
for (cnt = 0; cnt < nhere; ++cnt) for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
if (cp[cnt] != usrc[cnt]) if (cp[cnt] != usrc[cnt])
break; break;
@ -75,7 +76,7 @@ findidx (const wint_t **cpp)
size_t cnt; size_t cnt;
size_t offset; size_t offset;
for (cnt = 0; cnt < nhere - 1; ++cnt) for (cnt = 0; cnt < nhere - 1 && cnt < len; ++cnt)
if (cp[cnt] != usrc[cnt]) if (cp[cnt] != usrc[cnt])
break; break;

4
posix/fnmatch_loop.c
View File

@ -412,7 +412,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
# endif # endif
idx = findidx (&cp); idx = findidx (&cp, 1);
if (idx != 0) if (idx != 0)
{ {
/* We found a table entry. Now see whether the /* We found a table entry. Now see whether the
@ -422,7 +422,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
int32_t idx2; int32_t idx2;
const UCHAR *np = (const UCHAR *) n; const UCHAR *np = (const UCHAR *) n;
idx2 = findidx (&np); idx2 = findidx (&np, string_end - n);
if (idx2 != 0 if (idx2 != 0
&& (idx >> 24) == (idx2 >> 24) && (idx >> 24) == (idx2 >> 24)
&& len == weights[idx2 & 0xffffff]) && len == weights[idx2 & 0xffffff])

9
posix/regcomp.c
View File

@ -1,5 +1,5 @@
/* Extended regular expression matching and search library. /* Extended regular expression matching and search library.
Copyright (C) 2002-2007,2009,2010 Free Software Foundation, Inc. Copyright (C) 2002-2007,2009,2010,2011 Free Software Foundation, Inc.
This file is part of the GNU C Library. This file is part of the GNU C Library.
Contributed by Isamu Hasegawa <isamu@yamato.ibm.com>. Contributed by Isamu Hasegawa <isamu@yamato.ibm.com>.
@ -3409,19 +3409,18 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name)
_NL_COLLATE_EXTRAMB); _NL_COLLATE_EXTRAMB);
indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
_NL_COLLATE_INDIRECTMB); _NL_COLLATE_INDIRECTMB);
idx1 = findidx (&cp); idx1 = findidx (&cp, -1);
if (BE (idx1 == 0 || cp < name + strlen ((const char *) name), 0)) if (BE (idx1 == 0 || *cp != '\0', 0))
/* This isn't a valid character. */ /* This isn't a valid character. */
return REG_ECOLLATE; return REG_ECOLLATE;
/* Build single byte matcing table for this equivalence class. */ /* Build single byte matcing table for this equivalence class. */
char_buf[1] = (unsigned char) '\0';
len = weights[idx1 & 0xffffff]; len = weights[idx1 & 0xffffff];
for (ch = 0; ch < SBC_MAX; ++ch) for (ch = 0; ch < SBC_MAX; ++ch)
{ {
char_buf[0] = ch; char_buf[0] = ch;
cp = char_buf; cp = char_buf;
idx2 = findidx (&cp); idx2 = findidx (&cp, 1);
/* /*
idx2 = table[ch]; idx2 = table[ch];
*/ */

2
posix/regex_internal.h
View File

@ -755,7 +755,7 @@ re_string_elem_size_at (const re_string_t *pstr, int idx)
indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
_NL_COLLATE_INDIRECTMB); _NL_COLLATE_INDIRECTMB);
p = pstr->mbs + idx; p = pstr->mbs + idx;
findidx (&p); findidx (&p, pstr->len - idx);
return p - pstr->mbs - idx; return p - pstr->mbs - idx;
} }
else else

2
posix/regexec.c
View File

@ -3924,7 +3924,7 @@ check_node_accept_bytes (const re_dfa_t *dfa, int node_idx,
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAMB); _NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAMB);
indirect = (const int32_t *) indirect = (const int32_t *)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
int32_t idx = findidx (&cp); int32_t idx = findidx (&cp, elem_len);
if (idx > 0) if (idx > 0)
for (i = 0; i < cset->nequiv_classes; ++i) for (i = 0; i < cset->nequiv_classes; ++i)
{ {

6
string/strcoll_l.c
View File

@ -1,4 +1,4 @@
/* Copyright (C) 1995-1997,2002,2004,2007,2010 Free Software Foundation, Inc. /* Copyright (C) 1995-1997,2002,2004,2007,2010,2011 Free Software Foundation, Inc.
This file is part of the GNU C Library. This file is part of the GNU C Library.
Written by Ulrich Drepper <drepper@gnu.org>, 1995. Written by Ulrich Drepper <drepper@gnu.org>, 1995.
@ -205,7 +205,7 @@ STRCOLL (s1, s2, l)
while (*us1 != L('\0')) while (*us1 != L('\0'))
{ {
int32_t tmp = findidx (&us1); int32_t tmp = findidx (&us1, -1);
rule1arr[idx1max] = tmp >> 24; rule1arr[idx1max] = tmp >> 24;
idx1arr[idx1max] = tmp & 0xffffff; idx1arr[idx1max] = tmp & 0xffffff;
idx1cnt = idx1max++; idx1cnt = idx1max++;
@ -267,7 +267,7 @@ STRCOLL (s1, s2, l)
while (*us2 != L('\0')) while (*us2 != L('\0'))
{ {
int32_t tmp = findidx (&us2); int32_t tmp = findidx (&us2, -1);
rule2arr[idx2max] = tmp >> 24; rule2arr[idx2max] = tmp >> 24;
idx2arr[idx2max] = tmp & 0xffffff; idx2arr[idx2max] = tmp & 0xffffff;
idx2cnt = idx2max++; idx2cnt = idx2max++;

2
string/strxfrm_l.c
View File

@ -176,7 +176,7 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l)
idxmax = 0; idxmax = 0;
do do
{ {
int32_t tmp = findidx (&usrc); int32_t tmp = findidx (&usrc, -1);
rulearr[idxmax] = tmp >> 24; rulearr[idxmax] = tmp >> 24;
idxarr[idxmax] = tmp & 0xffffff; idxarr[idxmax] = tmp & 0xffffff;