This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.
Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Hi! get_subexp would happily compare bytes beyond end of buffer (or beyond end of valid chars). 2004-01-19 Jakub Jelinek <jakub@redhat.com> * posix/regexec.c (get_subexp): Remove bkref_str variable. Extend buffers if needed before comparisons. (get_subexp_sub): Handle clean_state_log_if_needed failure. --- libc/posix/regexec.c.jj 2004-01-03 13:42:56.000000000 +0100 +++ libc/posix/regexec.c 2004-01-19 15:00:53.000000000 +0100 @@ -2551,7 +2551,6 @@ get_subexp (mctx, bkref_node, bkref_str_ re_sub_match_top_t *sub_top = mctx->sub_tops[sub_top_idx]; re_sub_match_last_t *sub_last; int sub_last_idx, sl_str, bkref_str_off; - const char *bkref_str; if (dfa->nodes[sub_top->node].opr.idx != subexp_num) continue; /* It isn't related. */ @@ -2567,9 +2566,24 @@ get_subexp (mctx, bkref_node, bkref_str_ sl_str_diff = sub_last->str_idx - sl_str; /* The matched string by the sub expression match with the substring at the back reference? */ - if (sl_str_diff > 0 - && memcmp (buf + bkref_str_off, buf + sl_str, sl_str_diff) != 0) - break; /* We don't need to search this sub expression any more. */ + if (sl_str_diff > 0) + { + if (BE (bkref_str_off + sl_str_diff > mctx->input.valid_len, 0)) + { + /* Not enough chars for a successful match. */ + if (bkref_str_off + sl_str_diff > mctx->input.len) + break; + + err = clean_state_log_if_needed (mctx, + bkref_str_off + + sl_str_diff); + if (BE (err != REG_NOERROR, 0)) + return err; + buf = (const char *) re_string_get_buffer (&mctx->input); + } + if (memcmp (buf + bkref_str_off, buf + sl_str, sl_str_diff) != 0) + break; /* We don't need to search this sub expression any more. */ + } bkref_str_off += sl_str_diff; sl_str += sl_str_diff; err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node, @@ -2584,7 +2598,6 @@ get_subexp (mctx, bkref_node, bkref_str_ if (BE (err != REG_NOERROR, 0)) return err; } - bkref_str = buf + bkref_str_off; if (sub_last_idx < sub_top->nlasts) continue; @@ -2598,8 +2611,24 @@ get_subexp (mctx, bkref_node, bkref_str_ sl_str_off = sl_str - sub_top->str_idx; /* The matched string by the sub expression match with the substring at the back reference? */ - if (sl_str_off > 0 && *bkref_str++ != buf[sl_str - 1]) - break; /* We don't need to search this sub expression any more. */ + if (sl_str_off > 0) + { + if (BE (bkref_str_off >= mctx->input.valid_len, 0)) + { + /* If we are at the end of the input, we cannot match. */ + if (bkref_str_off >= mctx->input.len) + break; + + err = extend_buffers (mctx); + if (BE (err != REG_NOERROR, 0)) + return err; + + buf = (const char *) re_string_get_buffer (&mctx->input); + } + if (buf [bkref_str_off++] != buf[sl_str - 1]) + break; /* We don't need to search this sub expression + any more. */ + } if (mctx->state_log[sl_str] == NULL) continue; /* Does this state have a ')' of the sub expression? */ @@ -2659,8 +2688,7 @@ get_subexp_sub (mctx, sub_top, sub_last, if (BE (err != REG_NOERROR, 0)) return err; to_idx = bkref_str + sub_last->str_idx - sub_top->str_idx; - clean_state_log_if_needed (mctx, to_idx); - return REG_NOERROR; + return clean_state_log_if_needed (mctx, to_idx); } /* Find the first node which is '(' or ')' and whose index is SUBEXP_IDX. Jakub
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |