Date: Sun, 27 Jan 2013 21:50:01 GMT From: Mark Johnston <markj@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/175213: bsdgrep(1) segfaults upon malicious input Message-ID: <201301272150.r0RLo1QF078996@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/175213; it has been noted by GNATS. From: Mark Johnston <markj@freebsd.org> To: bug-followup@FreeBSD.org, deeptech71@gmail.com Cc: Subject: Re: bin/175213: bsdgrep(1) segfaults upon malicious input Date: Sun, 27 Jan 2013 09:41:33 -0500 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The attached patch should fix the problem. The bounds-checking code in IS_OUT_OF_BOUNDS is not quite right; based on the code in SHIFT, (j - 1) or (j + fg->len) must be valid indices into str_byte (depending on whether a reversed search is being done). I have a little program which reproduces this problem on my machine; it's posted here: http://people.freebsd.org/~markj/prs/175213/ Thanks, -Mark --ReaqsoxgOBHFXBhH Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="bsdgrep_bounds.diff" diff --git a/usr.bin/grep/regex/tre-fastmatch.c b/usr.bin/grep/regex/tre-fastmatch.c index b7a7c91..e363a28 100644 --- a/usr.bin/grep/regex/tre-fastmatch.c +++ b/usr.bin/grep/regex/tre-fastmatch.c @@ -101,9 +101,9 @@ static int fastcmp(const fastmatch_t *fg, const void *data, #define IS_OUT_OF_BOUNDS \ ((!fg->reversed \ - ? ((type == STR_WIDE) ? ((j + fg->wlen) > len) \ - : ((j + fg->len) > len)) \ - : (j < 0))) + ? ((type == STR_WIDE) ? ((j + fg->wlen) >= len) \ + : ((j + fg->len) >= len)) \ + : (j <= 0))) /* * Checks whether the new position after shifting in the input string --ReaqsoxgOBHFXBhH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301272150.r0RLo1QF078996>