#
325394 |
|
04-Nov-2017 |
pfg |
MFC r325066: Fix out-of-bounds read in libc/regex.
The bug is an out-of-bounds read detected with address sanitizer that happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's equal to "GS\x00". In that case len will be equal to 4, and the strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.
Checking the length using strlen() instead eliminates the issue.
The bug was found in LLVM with oss-fuzz: https://reviews.llvm.org/D39380
Obtained from: Vlad Tsyrklevich through posting on openbsd-tech
|
#
318030 |
|
09-May-2017 |
brooks |
MFC r317707:
Correct an out-of-bounds read in regcomp when the RE is bad.
When passed the invalid regular expression "a**", the error is eventually detected and seterr() is called. It sets p->error appropriatly and p->next and p->end to nuls which is a never used char nuls[10] which is zeros due to .bss initialization. Unfortunatly, p_ere_exp() and p_simp_re() both have fall through cases where they set the error, decrement p->next and access it which means a read from whatever .bss variable comes before nuls.
Found with regex_test:repet_multi and CHERI bounds checking.
Reviewed by: ngie, pfg, emaste Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D10541
|
#
303185 |
|
22-Jul-2016 |
ache |
MFC: r302824
1) Eliminate possibility to call __*collate_range_cmp() with inclomplete locale (which cause core dump) by removing whole 'table' argument by which it passed.
2) Restore __collate_range_cmp() in __sccl().
3) Collating [a-z] range in regcomp() works for single byte locales only (we can't do it for other ones). In previous state only first 256 wide chars are considered and all others are just silently dropped from the range.
|
#
278910 |
|
17-Feb-2015 |
delphij |
MFC r278739:
Disallow pattern spaces which would cause intermediate calculations to overflow size_t.
Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c dillon) Security: CERT VU#695940
|
#
276548 |
|
02-Jan-2015 |
delphij |
MFC r275930:
Plug a memory leak.
Obtained from: DragonFlyBSD (commit 5119ece)
|
#
269484 |
|
03-Aug-2014 |
pfg |
MFC r268066: regex(3): Add support for \< and \> word delimiters
Solaris and other OSs have support for \< and \> as word delimiters in utilities like sed(1). These are useful to have for general compatiblity with Solaris but should be avoided for portability with other systems, including the traditional BSDs.
Bump __FreeBSD_version as this is likely to affect some userland utilities.
Reference: https://www.illumos.org/issues/516
PR: bin/153257 Obtained from: Illumos
|
#
265726 |
|
08-May-2014 |
pfg |
MFC r265202: Remove some unreachable breaks in regex.
This is based on a much bigger cleanup done in Illumos.
Reference: https://www.illumos.org/issues/2077
|
#
278910 |
|
17-Feb-2015 |
delphij |
MFC r278739:
Disallow pattern spaces which would cause intermediate calculations to overflow size_t.
Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c dillon) Security: CERT VU#695940
|
#
276548 |
|
02-Jan-2015 |
delphij |
MFC r275930:
Plug a memory leak.
Obtained from: DragonFlyBSD (commit 5119ece)
|
#
269484 |
|
03-Aug-2014 |
pfg |
MFC r268066: regex(3): Add support for \< and \> word delimiters
Solaris and other OSs have support for \< and \> as word delimiters in utilities like sed(1). These are useful to have for general compatiblity with Solaris but should be avoided for portability with other systems, including the traditional BSDs.
Bump __FreeBSD_version as this is likely to affect some userland utilities.
Reference: https://www.illumos.org/issues/516
PR: bin/153257 Obtained from: Illumos
|
#
265726 |
|
08-May-2014 |
pfg |
MFC r265202: Remove some unreachable breaks in regex.
This is based on a much bigger cleanup done in Illumos.
Reference: https://www.illumos.org/issues/2077
|