73 lines
2.9 KiB
Diff
73 lines
2.9 KiB
Diff
From 007a417687970e0f5c88e181dc0cd07800fc0180 Mon Sep 17 00:00:00 2001
|
|
From: Assaf Gordon <assafgordon@gmail.com>
|
|
Date: Fri, 27 Jul 2018 02:19:41 -0600
|
|
Subject: [PATCH 06/61] sed: fix heap buffer overflow from multiline EOL regex
|
|
optimization
|
|
|
|
sed would access invalid memory when matching EOF combined with
|
|
s///n flag:
|
|
|
|
$ yes 0 | fmt -w 40 | head -n2 | valgrind sed 'N;s/$//2m'
|
|
==13131== Conditional jump or move depends on uninitialised value(s)
|
|
==13131== at 0x4C3002B: memchr (vg_replace_strmem.c:883)
|
|
==13131== by 0x1120BD: match_regex (regexp.c:286)
|
|
==13131== by 0x110736: do_subst (execute.c:1101)
|
|
==13131== by 0x1115D3: execute_program (execute.c:1591)
|
|
==13131== by 0x111A4C: process_files (execute.c:1774)
|
|
==13131== by 0x112E1C: main (sed.c:405)
|
|
==13131==
|
|
==13131== Invalid read of size 1
|
|
==13131== at 0x4C30027: memchr (vg_replace_strmem.c:883)
|
|
==13131== by 0x1120BD: match_regex (regexp.c:286)
|
|
==13131== by 0x110736: do_subst (execute.c:1101)
|
|
==13131== by 0x1115D3: execute_program (execute.c:1591)
|
|
==13131== by 0x111A4C: process_files (execute.c:1774)
|
|
==13131== by 0x112E1C: main (sed.c:405)
|
|
==13131== Address 0x55ec765 is 0 bytes after a block of size 101 alloc'd
|
|
==13131== at 0x4C2DDCF: realloc (vg_replace_malloc.c:785)
|
|
==13131== by 0x113BA2: ck_realloc (utils.c:418)
|
|
==13131== by 0x10E682: resize_line (execute.c:154)
|
|
==13131== by 0x10E6F0: str_append (execute.c:165)
|
|
==13131== by 0x110779: do_subst (execute.c:1106)
|
|
==13131== by 0x1115D3: execute_program (execute.c:1591)
|
|
==13131== by 0x111A4C: process_files (execute.c:1774)
|
|
==13131== by 0x112E1C: main (sed.c:405)
|
|
==13131==
|
|
|
|
The ^/$ optimization code added in v4.2.2-161-g6dea75e called memchr()
|
|
using 'buflen', ignoring the value of 'buf_start_offset' (which, if not
|
|
zero, reduces the number of bytes available for the search).
|
|
|
|
Reported by bugs@feusi.co (bug#32271) in
|
|
https://lists.gnu.org/r/bug-sed/2018-07/msg00018.html .
|
|
|
|
* NEWS: Mention the fix.
|
|
* sed/regexp.c (match_regex): Use correct buffer length in memchr().
|
|
* testsuite/bug-32271-2.sh: Test using valgrind.
|
|
* testsuite/local.mk (T): Add new test.
|
|
---
|
|
NEWS | 3 ++
|
|
sed/regexp.c | 3 +-
|
|
testsuite/bug32271-2.sh | 75 +++++++++++++++++++++++++++++++++++++++++
|
|
testsuite/local.mk | 1 +
|
|
4 files changed, 81 insertions(+), 1 deletion(-)
|
|
create mode 100755 testsuite/bug32271-2.sh
|
|
|
|
diff --git a/sed/regexp.c b/sed/regexp.c
|
|
index f7c2851..567dd26 100644
|
|
--- a/sed/regexp.c
|
|
+++ b/sed/regexp.c
|
|
@@ -283,7 +283,8 @@ match_regex(struct regex *regex, char *buf, size_t buflen,
|
|
const char *p = NULL;
|
|
|
|
if (regex->flags & REG_NEWLINE)
|
|
- p = memchr (buf + buf_start_offset, buffer_delimiter, buflen);
|
|
+ p = memchr (buf + buf_start_offset, buffer_delimiter,
|
|
+ buflen - buf_start_offset);
|
|
|
|
offset = p ? p - buf : buflen;
|
|
}
|
|
--
|
|
2.19.1
|
|
|