From owner-freebsd-bugs@FreeBSD.ORG  Sun Jan 27 21:50:01 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 4F67834D
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Sun, 27 Jan 2013 21:50:01 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 3F521881
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Sun, 27 Jan 2013 21:50:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0RLo1ft079000
 for <freebsd-bugs@freefall.freebsd.org>; Sun, 27 Jan 2013 21:50:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0RLo1QF078996;
 Sun, 27 Jan 2013 21:50:01 GMT (envelope-from gnats)
Date: Sun, 27 Jan 2013 21:50:01 GMT
Message-Id: <201301272150.r0RLo1QF078996@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Mark Johnston <markj@freebsd.org>
Subject: Re: bin/175213: bsdgrep(1) segfaults upon malicious input
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: Mark Johnston <markj@freebsd.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jan 2013 21:50:01 -0000

The following reply was made to PR bin/175213; it has been noted by GNATS.

From: Mark Johnston <markj@freebsd.org>
To: bug-followup@FreeBSD.org, deeptech71@gmail.com
Cc:  
Subject: Re: bin/175213: bsdgrep(1) segfaults upon malicious input
Date: Sun, 27 Jan 2013 09:41:33 -0500

 --ReaqsoxgOBHFXBhH
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 The attached patch should fix the problem. The bounds-checking code in
 IS_OUT_OF_BOUNDS is not quite right; based on the code in SHIFT, (j - 1)
 or (j + fg->len) must be valid indices into str_byte (depending on
 whether a reversed search is being done).
 
 I have a little program which reproduces this problem on my machine;
 it's posted here: http://people.freebsd.org/~markj/prs/175213/
 
 Thanks,
 -Mark
 
 --ReaqsoxgOBHFXBhH
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="bsdgrep_bounds.diff"
 
 diff --git a/usr.bin/grep/regex/tre-fastmatch.c b/usr.bin/grep/regex/tre-fastmatch.c
 index b7a7c91..e363a28 100644
 --- a/usr.bin/grep/regex/tre-fastmatch.c
 +++ b/usr.bin/grep/regex/tre-fastmatch.c
 @@ -101,9 +101,9 @@ static int	fastcmp(const fastmatch_t *fg, const void *data,
  
  #define IS_OUT_OF_BOUNDS						\
    ((!fg->reversed							\
 -    ? ((type == STR_WIDE) ? ((j + fg->wlen) > len)			\
 -			  : ((j + fg->len) > len))			\
 -    : (j < 0)))
 +    ? ((type == STR_WIDE) ? ((j + fg->wlen) >= len)			\
 +			  : ((j + fg->len) >= len))			\
 +    : (j <= 0)))
  
  /*
   * Checks whether the new position after shifting in the input string
 
 --ReaqsoxgOBHFXBhH--