| #
325394 |
|
04-Nov-2017 |
pfg |
MFC r325066:
Fix out-of-bounds read in libc/regex.
The bug is an out-of-bounds read detected with address sanitizer that
happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's
equal to "GS\x00". In that case len will be equal to 4, and the
strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the
cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.
Checking the length using strlen() instead eliminates the issue.
The bug was found in LLVM with oss-fuzz:
https://reviews.llvm.org/D39380
Obtained from: Vlad Tsyrklevich through posting on openbsd-tech
|
| #
318030 |
|
09-May-2017 |
brooks |
MFC r317707:
Correct an out-of-bounds read in regcomp when the RE is bad.
When passed the invalid regular expression "a**", the error is
eventually detected and seterr() is called. It sets p->error
appropriatly and p->next and p->end to nuls which is a never used char
nuls[10] which is zeros due to .bss initialization. Unfortunatly,
p_ere_exp() and p_simp_re() both have fall through cases where they set
the error, decrement p->next and access it which means a read from
whatever .bss variable comes before nuls.
Found with regex_test:repet_multi and CHERI bounds checking.
Reviewed by: ngie, pfg, emaste
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D10541
|
| #
303185 |
|
22-Jul-2016 |
ache |
MFC: r302824
1) Eliminate possibility to call __*collate_range_cmp() with inclomplete
locale (which cause core dump) by removing whole 'table' argument
by which it passed.
2) Restore __collate_range_cmp() in __sccl().
3) Collating [a-z] range in regcomp() works for single byte locales only
(we can't do it for other ones). In previous state only first 256
wide chars are considered and all others are just silently dropped from the
range.
|
| #
278910 |
|
17-Feb-2015 |
delphij |
MFC r278739:
Disallow pattern spaces which would cause intermediate calculations to
overflow size_t.
Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c dillon)
Security: CERT VU#695940
|
| #
276548 |
|
02-Jan-2015 |
delphij |
MFC r275930:
Plug a memory leak.
Obtained from: DragonFlyBSD (commit 5119ece)
|
| #
269484 |
|
03-Aug-2014 |
pfg |
MFC r268066:
regex(3): Add support for \< and \> word delimiters
Solaris and other OSs have support for \< and \> as word
delimiters in utilities like sed(1). These are useful to
have for general compatiblity with Solaris but should be
avoided for portability with other systems, including the
traditional BSDs.
Bump __FreeBSD_version as this is likely to affect some
userland utilities.
Reference:
https://www.illumos.org/issues/516
PR: bin/153257
Obtained from: Illumos
|
| #
265726 |
|
08-May-2014 |
pfg |
MFC r265202:
Remove some unreachable breaks in regex.
This is based on a much bigger cleanup done in Illumos.
Reference:
https://www.illumos.org/issues/2077
|
| #
278910 |
|
17-Feb-2015 |
delphij |
MFC r278739:
Disallow pattern spaces which would cause intermediate calculations to
overflow size_t.
Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c dillon)
Security: CERT VU#695940
|
| #
276548 |
|
02-Jan-2015 |
delphij |
MFC r275930:
Plug a memory leak.
Obtained from: DragonFlyBSD (commit 5119ece)
|
| #
269484 |
|
03-Aug-2014 |
pfg |
MFC r268066:
regex(3): Add support for \< and \> word delimiters
Solaris and other OSs have support for \< and \> as word
delimiters in utilities like sed(1). These are useful to
have for general compatiblity with Solaris but should be
avoided for portability with other systems, including the
traditional BSDs.
Bump __FreeBSD_version as this is likely to affect some
userland utilities.
Reference:
https://www.illumos.org/issues/516
PR: bin/153257
Obtained from: Illumos
|
| #
265726 |
|
08-May-2014 |
pfg |
MFC r265202:
Remove some unreachable breaks in regex.
This is based on a much bigger cleanup done in Illumos.
Reference:
https://www.illumos.org/issues/2077
|