HomeFreeBSD

MFC r317707:

Description

MFC r317707:

Correct an out-of-bounds read in regcomp when the RE is bad.

When passed the invalid regular expression "a**", the error is
eventually detected and seterr() is called. It sets p->error
appropriatly and p->next and p->end to nuls which is a never used char
nuls[10] which is zeros due to .bss initialization. Unfortunatly,
p_ere_exp() and p_simp_re() both have fall through cases where they set
the error, decrement p->next and access it which means a read from
whatever .bss variable comes before nuls.

Found with regex_test:repet_multi and CHERI bounds checking.

Reviewed by: ngie, pfg, emaste
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D10541

Details

Provenance
brooksAuthored on
Reviewer
ngie
Differential Revision
D10541: Correct an out-of-bounds read in regcomp when the RE is bad.
Parents
rS318028: Prune stale entries from 11.0-RELEASE.
Branches
Unknown
Tags
Unknown