[llvm] [Support] Fix buffer overflow in regcomp (PR #76681)
via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 1 07:27:17 PST 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-llvm-support
Author: None (DavidKorczynski)
<details>
<summary>Changes</summary>
`OQUEST_` and `OCH_` causes the scan pointer to skip elements in `g`'s `strip` buffer. However, the terminating character of `g->strip` may be within the skipped elements, and there is currently no checking of that. This adds a check on the skipped elements to ensure no overflow happens.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65423
---
Full diff: https://github.com/llvm/llvm-project/pull/76681.diff
1 Files Affected:
- (modified) llvm/lib/Support/regcomp.c (+11-1)
``````````diff
diff --git a/llvm/lib/Support/regcomp.c b/llvm/lib/Support/regcomp.c
index 990aef32a396fa..1f68008d6a2937 100644
--- a/llvm/lib/Support/regcomp.c
+++ b/llvm/lib/Support/regcomp.c
@@ -1601,6 +1601,7 @@ findmust(struct parse *p, struct re_guts *g)
sop s;
char *cp;
sopno i;
+ unsigned int skipsize;
/* avoid making error situations worse */
if (p->error != 0)
@@ -1625,7 +1626,16 @@ findmust(struct parse *p, struct re_guts *g)
case OCH_:
scan--;
do {
- scan += OPND(s);
+ /* Ensure end is not skipped */
+ skipsize = OPND(s);
+ while (skipsize > 0) {
+ if (OP(*scan) == OEND) {
+ g->iflags |= REGEX_BAD;
+ return;
+ }
+ scan++;
+ skipsize--;
+ }
s = *scan;
/* assert() interferes w debug printouts */
if (OP(s) != O_QUEST && OP(s) != O_CH &&
``````````
</details>
https://github.com/llvm/llvm-project/pull/76681
More information about the llvm-commits
mailing list