[crossrootfs.git] / glibc / glibc-regexp_buffer_overrun.patch

# http://sourceware.org/bugzilla/show_bug.cgi?id=15078
# CVE-2013-0242
# ChangeLog, NEWS and new test removed to apply clean

commit a445af0bc722d620afed7683cd320c0e4c7c6059
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Jan 29 14:45:15 2013 +0100

    Fix buffer overrun in regexp matcher

diff --git a/posix/regexec.c b/posix/regexec.c
index 7f2de85..5ca2bf6 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
 static int check_node_accept (const re_match_context_t *mctx,
 			      const re_token_t *node, int idx)
      internal_function;
-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
      internal_function;
 \f
 /* Entry point for POSIX code.  */
@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
 	  || (BE (next_char_idx >= mctx->input.valid_len, 0)
 	      && mctx->input.valid_len < mctx->input.len))
 	{
-	  err = extend_buffers (mctx);
+	  err = extend_buffers (mctx, next_char_idx + 1);
 	  if (BE (err != REG_NOERROR, 0))
 	    {
 	      assert (err == REG_ESPACE);
@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
 	  && mctx->input.valid_len < mctx->input.len))
     {
       reg_errcode_t err;
-      err = extend_buffers (mctx);
+      err = extend_buffers (mctx, next_state_log_idx + 1);
       if (BE (err != REG_NOERROR, 0))
 	return err;
     }
@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
 		  if (bkref_str_off >= mctx->input.len)
 		    break;
 
-		  err = extend_buffers (mctx);
+		  err = extend_buffers (mctx, bkref_str_off + 1);
 		  if (BE (err != REG_NOERROR, 0))
 		    return err;
 
@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node,
 
 static reg_errcode_t
 internal_function __attribute_warn_unused_result__
-extend_buffers (re_match_context_t *mctx)
+extend_buffers (re_match_context_t *mctx, int min_len)
 {
   reg_errcode_t ret;
   re_string_t *pstr = &mctx->input;
@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
   if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
     return REG_ESPACE;
 
-  /* Double the lengthes of the buffers.  */
-  ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
+  /* Double the lengthes of the buffers, but allocate at least MIN_LEN.  */
+  ret = re_string_realloc_buffers (pstr,
+				   MAX (min_len,
+					MIN (pstr->len, pstr->bufs_len * 2)));
   if (BE (ret != REG_NOERROR, 0))
     return ret;
Commit	Line	Data
50c61831 VM	1	# http://sourceware.org/bugzilla/show_bug.cgi?id=15078
	2	# CVE-2013-0242
	3	# ChangeLog, NEWS and new test removed to apply clean
	4
	5	commit a445af0bc722d620afed7683cd320c0e4c7c6059
	6	Author: Andreas Schwab <schwab@suse.de>
	7	Date: Tue Jan 29 14:45:15 2013 +0100
	8
	9	Fix buffer overrun in regexp matcher
	10
	11	diff --git a/posix/regexec.c b/posix/regexec.c
	12	index 7f2de85..5ca2bf6 100644
	13	--- a/posix/regexec.c
	14	+++ b/posix/regexec.c
	15	@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
	16	static int check_node_accept (const re_match_context_t *mctx,
	17	const re_token_t *node, int idx)
	18	internal_function;
	19	-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
	20	+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
	21	internal_function;
	22	\f
	23	/* Entry point for POSIX code. */
	24	@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
	25	\|\| (BE (next_char_idx >= mctx->input.valid_len, 0)
	26	&& mctx->input.valid_len < mctx->input.len))
	27	{
	28	- err = extend_buffers (mctx);
	29	+ err = extend_buffers (mctx, next_char_idx + 1);
	30	if (BE (err != REG_NOERROR, 0))
	31	{
	32	assert (err == REG_ESPACE);
	33	@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
	34	&& mctx->input.valid_len < mctx->input.len))
	35	{
	36	reg_errcode_t err;
	37	- err = extend_buffers (mctx);
	38	+ err = extend_buffers (mctx, next_state_log_idx + 1);
	39	if (BE (err != REG_NOERROR, 0))
	40	return err;
	41	}
	42	@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
	43	if (bkref_str_off >= mctx->input.len)
	44	break;
	45
	46	- err = extend_buffers (mctx);
	47	+ err = extend_buffers (mctx, bkref_str_off + 1);
	48	if (BE (err != REG_NOERROR, 0))
	49	return err;
	50
	51	@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t mctx, const re_token_t node,
	52
	53	static reg_errcode_t
	54	internal_function __attribute_warn_unused_result__
	55	-extend_buffers (re_match_context_t *mctx)
	56	+extend_buffers (re_match_context_t *mctx, int min_len)
	57	{
	58	reg_errcode_t ret;
	59	re_string_t *pstr = &mctx->input;
	60	@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
	61	if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
	62	return REG_ESPACE;
	63
	64	- /* Double the lengthes of the buffers. */
65	- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
66	+ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */
67	+ ret = re_string_realloc_buffers (pstr,
68	+ MAX (min_len,
69	+ MIN (pstr->len, pstr->bufs_len * 2)));
70	if (BE (ret != REG_NOERROR, 0))
71	return ret;
72