Date: Tue, 9 Aug 2016 19:20:53 +0000 (UTC) From: Dimitry Andric <dim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r303888 - stable/11/usr.bin/grep/regex Message-ID: <201608091920.u79JKrIl062103@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dim Date: Tue Aug 9 19:20:53 2016 New Revision: 303888 URL: https://svnweb.freebsd.org/changeset/base/303888 Log: MFC r303676: Fix a segfault in bsdgrep when parsing the invalid extended regexps "?" or "+" (these are invalid, because there is no preceding operand). When bsdgrep attempts to emulate GNU grep in discarding and ignoring the invalid ? or + operators, some later logic in tre_compile_fast() goes beyond the end of the buffer, leading to a crash. Fix this by bailing out, and reporting a bad pattern instead. Approved by: re (gjb, kib) Reported by: Steve Kargl Modified: stable/11/usr.bin/grep/regex/tre-fastmatch.c Directory Properties: stable/11/ (props changed) Modified: stable/11/usr.bin/grep/regex/tre-fastmatch.c ============================================================================== --- stable/11/usr.bin/grep/regex/tre-fastmatch.c Tue Aug 9 19:06:05 2016 (r303887) +++ stable/11/usr.bin/grep/regex/tre-fastmatch.c Tue Aug 9 19:20:53 2016 (r303888) @@ -621,7 +621,7 @@ tre_compile_fast(fastmatch_t *fg, const case TRE_CHAR('+'): case TRE_CHAR('?'): if ((cflags & REG_EXTENDED) && (i == 0)) - continue; + goto badpat; else if ((cflags & REG_EXTENDED) ^ !escaped) STORE_CHAR; else
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608091920.u79JKrIl062103>