From 007a417687970e0f5c88e181dc0cd07800fc0180 Mon Sep 17 00:00:00 2001
From: Assaf Gordon <assafgordon@gmail.com>
Date: Fri, 27 Jul 2018 02:19:41 -0600
Subject: [PATCH 06/61] sed: fix heap buffer overflow from multiline EOL regex
 optimization

sed would access invalid memory when matching EOF combined with
s///n flag:

  $ yes 0 | fmt -w 40 | head -n2 | valgrind sed 'N;s/$//2m'
  ==13131== Conditional jump or move depends on uninitialised value(s)
  ==13131==    at 0x4C3002B: memchr (vg_replace_strmem.c:883)
  ==13131==    by 0x1120BD: match_regex (regexp.c:286)
  ==13131==    by 0x110736: do_subst (execute.c:1101)
  ==13131==    by 0x1115D3: execute_program (execute.c:1591)
  ==13131==    by 0x111A4C: process_files (execute.c:1774)
  ==13131==    by 0x112E1C: main (sed.c:405)
  ==13131==
  ==13131== Invalid read of size 1
  ==13131==    at 0x4C30027: memchr (vg_replace_strmem.c:883)
  ==13131==    by 0x1120BD: match_regex (regexp.c:286)
  ==13131==    by 0x110736: do_subst (execute.c:1101)
  ==13131==    by 0x1115D3: execute_program (execute.c:1591)
  ==13131==    by 0x111A4C: process_files (execute.c:1774)
  ==13131==    by 0x112E1C: main (sed.c:405)
  ==13131==  Address 0x55ec765 is 0 bytes after a block of size 101 alloc'd
  ==13131==    at 0x4C2DDCF: realloc (vg_replace_malloc.c:785)
  ==13131==    by 0x113BA2: ck_realloc (utils.c:418)
  ==13131==    by 0x10E682: resize_line (execute.c:154)
  ==13131==    by 0x10E6F0: str_append (execute.c:165)
  ==13131==    by 0x110779: do_subst (execute.c:1106)
  ==13131==    by 0x1115D3: execute_program (execute.c:1591)
  ==13131==    by 0x111A4C: process_files (execute.c:1774)
  ==13131==    by 0x112E1C: main (sed.c:405)
  ==13131==

The ^/$ optimization code added in v4.2.2-161-g6dea75e called memchr()
using 'buflen', ignoring the value of 'buf_start_offset' (which, if not
zero, reduces the number of bytes available for the search).

Reported by bugs@feusi.co (bug#32271) in
https://lists.gnu.org/r/bug-sed/2018-07/msg00018.html .

* NEWS: Mention the fix.
* sed/regexp.c (match_regex): Use correct buffer length in memchr().
* testsuite/bug-32271-2.sh: Test using valgrind.
* testsuite/local.mk (T): Add new test.
---
 NEWS                    |  3 ++
 sed/regexp.c            |  3 +-
 testsuite/bug32271-2.sh | 75 +++++++++++++++++++++++++++++++++++++++++
 testsuite/local.mk      |  1 +
 4 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100755 testsuite/bug32271-2.sh

diff --git a/sed/regexp.c b/sed/regexp.c
index f7c2851..567dd26 100644
--- a/sed/regexp.c
+++ b/sed/regexp.c
@@ -283,7 +283,8 @@ match_regex(struct regex *regex, char *buf, size_t buflen,
           const char *p = NULL;
 
           if (regex->flags & REG_NEWLINE)
-            p = memchr (buf + buf_start_offset, buffer_delimiter, buflen);
+            p = memchr (buf + buf_start_offset, buffer_delimiter,
+                        buflen - buf_start_offset);
 
           offset = p ? p - buf : buflen;
         }
-- 
2.19.1