Date: Mon, 20 May 2013 03:15:25 +0000 (UTC) From: "Pedro F. Giffuni" <pfg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r250823 - head/gnu/usr.bin/grep Message-ID: <201305200315.r4K3FPQc074576@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pfg Date: Mon May 20 03:15:25 2013 New Revision: 250823 URL: http://svnweb.freebsd.org/changeset/base/250823 Log: grep: change some int types. Change several int variables to size_t, ssize_t, or ptrdiff_t. This should fix the bug described in CVE-2012-5667 when an input line is so long that its length cannot be stored in an int variable. This is based on NetBSD's revision which says: This change to NetBSD's version of GNU grep 2.5.1 (licenced under GPLv2) was made without direct reference to any code licenced under GPLv3. Obtained from: NetBSD MFC after: 3 days Modified: head/gnu/usr.bin/grep/dfa.c head/gnu/usr.bin/grep/grep.c head/gnu/usr.bin/grep/search.c Modified: head/gnu/usr.bin/grep/dfa.c ============================================================================== --- head/gnu/usr.bin/grep/dfa.c Mon May 20 03:03:23 2013 (r250822) +++ head/gnu/usr.bin/grep/dfa.c Mon May 20 03:15:25 2013 (r250823) @@ -334,9 +334,10 @@ static int hard_LC_COLLATE; /* Nonzero i #ifdef MBS_SUPPORT /* These variables are used only if (MB_CUR_MAX > 1). */ static mbstate_t mbs; /* Mbstate for mbrlen(). */ -static int cur_mb_len; /* Byte length of the current scanning - multibyte character. */ -static int cur_mb_index; /* Byte index of the current scanning multibyte +static ssize_t cur_mb_len; /* Byte length of the current scanning + multibyte character. Must also handle + negative result from mbrlen(). */ +static ssize_t cur_mb_index; /* Byte index of the current scanning multibyte character. singlebyte character : cur_mb_index = 0 @@ -369,7 +370,7 @@ static unsigned char const *buf_end; /* /* This function update cur_mb_len, and cur_mb_index. p points current lexptr, len is the remaining buffer length. */ static void -update_mb_len_index (unsigned char const *p, int len) +update_mb_len_index (unsigned char const *p, size_t len) { /* If last character is a part of a multibyte character, we update cur_mb_index. */ @@ -2463,7 +2464,7 @@ match_mb_charset (struct dfa *d, int s, int match; /* Flag which represent that matching succeed. */ int match_len; /* Length of the character (or collating element) with which this operator match. */ - int op_len; /* Length of the operator. */ + size_t op_len; /* Length of the operator. */ char buffer[128]; wchar_t wcbuf[6]; Modified: head/gnu/usr.bin/grep/grep.c ============================================================================== --- head/gnu/usr.bin/grep/grep.c Mon May 20 03:03:23 2013 (r250822) +++ head/gnu/usr.bin/grep/grep.c Mon May 20 03:15:25 2013 (r250823) @@ -1350,9 +1350,9 @@ int main (int argc, char **argv) { char *keys; - size_t keycc, oldcc, keyalloc; + size_t cc, keycc, oldcc, keyalloc; int with_filenames; - int opt, cc, status; + int opt, status; int default_context; FILE *fp; extern char *optarg; Modified: head/gnu/usr.bin/grep/search.c ============================================================================== --- head/gnu/usr.bin/grep/search.c Mon May 20 03:03:23 2013 (r250822) +++ head/gnu/usr.bin/grep/search.c Mon May 20 03:15:25 2013 (r250823) @@ -112,7 +112,7 @@ static void kwsinit (void) { static char trans[NCHAR]; - int i; + size_t i; if (match_icase) for (i = 0; i < NCHAR; ++i) @@ -326,7 +326,8 @@ EGexecute (char const *buf, size_t size, { register char const *buflim, *beg, *end; char eol = eolbyte; - int backref, start, len; + int backref; + ptrdiff_t start, len; struct kwsmatch kwsm; size_t i, ret_val; static int use_dfa;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305200315.r4K3FPQc074576>