[Bug regex/25149] New: Array bounds violation in proceed_next_node

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug regex/25149] New: Array bounds violation in proceed_next_node

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25149

            Bug ID: 25149
           Summary: Array bounds violation in proceed_next_node
           Product: glibc
           Version: 2.30
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: [hidden email]
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

If the regex has more subexpressions than the number of elements allocated in
the regmatch_t array passed to regexec then proceed_next_node may access the
regmatch_t array outside its bounds.

#include <regex.h>

int
main (void)
{
  regex_t rx;
  regmatch_t rm[4];
  int err;

  err = regcomp (&rx,
"^(.?)(.?)(.?)(.?)(.?)(.?)(.?)(.?)(.?).?\\9\\8\\7\\6\\5\\4\\3\\2\\1$",
REG_EXTENDED);
  if (err == REG_NOERROR)
    err = regexec (&rx, "1234", sizeof (rm) / sizeof (rm[0]), rm, 0);
  return err != REG_NOMATCH;
}

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/25149] Array bounds violation in proceed_next_node

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25149

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/25149] Array bounds violation in proceed_next_node

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25149

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Andreas Schwab <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc141ea78ee3d87c67b18488827fe2d89c9343e7

commit fc141ea78ee3d87c67b18488827fe2d89c9343e7
Author: Andreas Schwab <[hidden email]>
Date:   Wed Oct 30 10:38:36 2019 +0100

    Fix array bounds violation in regex matcher (bug 25149)

    If the regex has more subexpressions than the number of elements allocated
    in the regmatch_t array passed to regexec then proceed_next_node may
    access the regmatch_t array outside its bounds.

    No testcase added because even without this bug it would then crash in
    pop_fail_stack which is bug 11053.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/25149] Array bounds violation in proceed_next_node

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25149

Andreas Schwab <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
             Blocks|                            |11053
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.31

--- Comment #2 from Andreas Schwab <[hidden email]> ---
Fixed in 2.31.


Referenced Bugs:

https://sourceware.org/bugzilla/show_bug.cgi?id=11053
[Bug 11053] Wrong results with backreferences
--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/25149] Array bounds violation in proceed_next_node

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25149

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
This requires a crafted regular expression to trigger the out-of-bounds access,
so I'm setting security-.

--
You are receiving this mail because:
You are on the CC list for the bug.