From c52a676e5e31f4f5c25d78f5dd4c17fab6585d8e Mon Sep 17 00:00:00 2001
From: Assaf Gordon <assafgordon@gmail.com>
Date: Sat, 7 Jul 2018 22:03:38 -0600
Subject: [PATCH 02/61] sed: fix heap buffer overflow from invalid references

Under certain conditions sed would access invalid memory based on
the requested back-reference (e.g. "s//\9/" would access the 9th element
in the regex registers without checking it is at least 9 element in
size).

The following examples would trigger valgrind errors:
    seq 2 | valgrind sed         -e '/^/s///p ; 2s//\9/'
    seq 2 | valgrind sed --posix -e '/2/p ;     2s//\9/'

Reported by bugs@feusi.co in
https://lists.gnu.org/r/bug-sed/2018-07/msg00004.html .

* NEWS: Mention the bugfix.
* sed/execute.c (append_replacement): Check number of allocated regex
replacement registers before accessing the array.
* sed/testsuite/bug32082.sh: Test sed for this behaviour under valgrind.
* sed/testsuite/local.mk (T): Add new test.
---
 NEWS                  |  5 +++
 sed/execute.c         |  2 +-
 testsuite/bug32082.sh | 81 +++++++++++++++++++++++++++++++++++++++++++
 testsuite/local.mk    |  1 +
 4 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100755 testsuite/bug32082.sh
 
diff --git a/sed/execute.c b/sed/execute.c
index 2804c5e..7a4850f 100644
--- a/sed/execute.c
+++ b/sed/execute.c
@@ -987,7 +987,7 @@ static void append_replacement (struct line *buf, struct replacement *p,
           curr_type &= ~REPL_MODIFIERS;
         }
 
-      if (0 <= i)
+      if (0 <= i && i < regs->num_regs)
         {
           if (regs->end[i] == regs->start[i] && p->repl_type & REPL_MODIFIERS)
             /* Save this modifier, we shall apply it later.
-- 
2.19.1