[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
EGexecute: avoid access beyond end of buffer
|
From: |
Bruno Haible |
|
Subject: |
EGexecute: avoid access beyond end of buffer |
|
Date: |
Mon, 24 May 2010 11:10:58 +0200 |
|
User-agent: |
KMail/1.9.9 |
Hi,
Another fix, independent of my previous patch: Avoid an access beyond end of
buffer.
Recall that the second argument to re_search is 'buf', therefore indices
returned by re_search are relative to 'buf', not to 'beg'. The expression
WCHAR ((unsigned char) match[len]) is only valid if
&match[len] < end - 1
<==>
buf + start + len < end - 1
<==>
start + len < end - buf - 1
The previous test
len < end - beg - 1
is wrong because
match may be != beg
or equivalently
start may be != beg - buf.
Bruno
2010-05-24 Bruno Haible <address@hidden>
Fix bug: Avoid out-of-bounds access.
* src/dfasearch.c (EGexecute): Fix test before second call to WCHAR.
diff --git a/src/dfasearch.c b/src/dfasearch.c
index 6178b33..4ccb6dc 100644
--- a/src/dfasearch.c
+++ b/src/dfasearch.c
@@ -326,7 +326,7 @@ EGexecute (char const *buf, size_t size, size_t *match_size,
while (match <= best_match)
{
if ((match == buf || !WCHAR ((unsigned char) match[-1]))
- && (len == end - beg - 1
+ && (start + len == end - buf - 1
|| !WCHAR ((unsigned char) match[len])))
goto assess_pattern_match;
if (len > 0)
- EGexecute: avoid access beyond end of buffer,
Bruno Haible <=