[llvm] [Support] Fix buffer overflow in regcomp (PR #76681)

via llvm-commits llvm-commits at lists.llvm.org
Mon Jan 1 07:26:47 PST 2024 

https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/76681

`OQUEST_` and `OCH_` causes the scan pointer to skip elements in `g`'s `strip` buffer. However, the terminating character of `g->strip` may be within the skipped elements, and there is currently no checking of that. This adds a check on the skipped elements to ensure no overflow happens.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65423

>From 22fcd1ef7e9a79a861313bc0f2d4c84767e2a0e8 Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Mon, 1 Jan 2024 07:16:36 -0800
Subject: [PATCH] [Support] Fix buffer overflow in regcomp

`OQUEST_` and `OCH_` causes the scan pointer to skip elements in `g`'s
`strip` buffer. However, the terminating character of `g->strip` may be
within the skipped elements, and there is currently no checking of that.
This adds a check on the skipped elements to ensure no overflow happens.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65423

Signed-off-by: David Korczynski <david at adalogics.com>
---
 llvm/lib/Support/regcomp.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/llvm/lib/Support/regcomp.c b/llvm/lib/Support/regcomp.c
index 990aef32a396fa..1f68008d6a2937 100644
--- a/llvm/lib/Support/regcomp.c
+++ b/llvm/lib/Support/regcomp.c
@@ -1601,6 +1601,7 @@ findmust(struct parse *p, struct re_guts *g)
 	sop s;
 	char *cp;
 	sopno i;
+	unsigned int skipsize;
 
 	/* avoid making error situations worse */
 	if (p->error != 0)
@@ -1625,7 +1626,16 @@ findmust(struct parse *p, struct re_guts *g)
 		case OCH_:
 			scan--;
 			do {
-				scan += OPND(s);
+				/* Ensure end is not skipped */
+				skipsize = OPND(s);
+				while (skipsize > 0) {
+					if (OP(*scan) == OEND) {
+						g->iflags |= REGEX_BAD;
+						return;
+					}
+					scan++;
+					skipsize--;
+				}
 				s = *scan;
 				/* assert() interferes w debug printouts */
 				if (OP(s) != O_QUEST && OP(s) != O_CH &&

More information about the llvm-commits mailing list