47 lines
1.7 KiB
Diff
47 lines
1.7 KiB
Diff
From c52a676e5e31f4f5c25d78f5dd4c17fab6585d8e Mon Sep 17 00:00:00 2001
|
|
From: Assaf Gordon <assafgordon@gmail.com>
|
|
Date: Sat, 7 Jul 2018 22:03:38 -0600
|
|
Subject: [PATCH 02/61] sed: fix heap buffer overflow from invalid references
|
|
|
|
Under certain conditions sed would access invalid memory based on
|
|
the requested back-reference (e.g. "s//\9/" would access the 9th element
|
|
in the regex registers without checking it is at least 9 element in
|
|
size).
|
|
|
|
The following examples would trigger valgrind errors:
|
|
seq 2 | valgrind sed -e '/^/s///p ; 2s//\9/'
|
|
seq 2 | valgrind sed --posix -e '/2/p ; 2s//\9/'
|
|
|
|
Reported by bugs@feusi.co in
|
|
https://lists.gnu.org/r/bug-sed/2018-07/msg00004.html .
|
|
|
|
* NEWS: Mention the bugfix.
|
|
* sed/execute.c (append_replacement): Check number of allocated regex
|
|
replacement registers before accessing the array.
|
|
* sed/testsuite/bug32082.sh: Test sed for this behaviour under valgrind.
|
|
* sed/testsuite/local.mk (T): Add new test.
|
|
---
|
|
NEWS | 5 +++
|
|
sed/execute.c | 2 +-
|
|
testsuite/bug32082.sh | 81 +++++++++++++++++++++++++++++++++++++++++++
|
|
testsuite/local.mk | 1 +
|
|
4 files changed, 88 insertions(+), 1 deletion(-)
|
|
create mode 100755 testsuite/bug32082.sh
|
|
|
|
diff --git a/sed/execute.c b/sed/execute.c
|
|
index 2804c5e..7a4850f 100644
|
|
--- a/sed/execute.c
|
|
+++ b/sed/execute.c
|
|
@@ -987,7 +987,7 @@ static void append_replacement (struct line *buf, struct replacement *p,
|
|
curr_type &= ~REPL_MODIFIERS;
|
|
}
|
|
|
|
- if (0 <= i)
|
|
+ if (0 <= i && i < regs->num_regs)
|
|
{
|
|
if (regs->end[i] == regs->start[i] && p->repl_type & REPL_MODIFIERS)
|
|
/* Save this modifier, we shall apply it later.
|
|
--
|
|
2.19.1
|
|
|