Date: Sat, 24 Jul 1999 05:20:01 -0700 (PDT) From: Nick Hibma <nick.hibma@jrc.it> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/8790: [PATCH] Buffer overrun in nvi-1.79 (exploitable) Message-ID: <199907241220.FAA41032@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/8790; it has been noted by GNATS.
From: Nick Hibma <nick.hibma@jrc.it>
To: freebsd-gnats-submit@freebsd.org, viro@math.psu.edu
Cc:
Subject: Re: bin/8790: [PATCH] Buffer overrun in nvi-1.79 (exploitable)
Date: Sat, 24 Jul 1999 14:07:16 +0200
The problem is probably in ordinary():
static void
ordinary(p, ch)
register struct parse *p;
register int ch;
{
register cat_t *cap = p->g->categories;
if ((p->g->cflags®_ICASE) && isalpha((unsigned char)ch) &&
othercase(ch) != ch)
bothcases(p, ch);
else {
EMIT(OCHAR, (unsigned char)ch);
if (cap[ch] == 0)
cap[ch] = p->g->ncategories++;
}
}
p->g->categories is NC*sizeof(cat_t) big, which is 256 bytes. With
BACKSL being 1<<8 you end up beyond that limit. Me thinks. Possible
patch (to src/lib/libc/regex/regcomp.c, rev.1.12):
--- regcomp.c Wed Sep 16 10:13:00 1998
+++ /tmp/regcomp.c Sat Jul 24 14:02:42 1999
@@ -1043,8 +1043,8 @@
bothcases(p, ch);
else {
EMIT(OCHAR, (unsigned char)ch);
- if (cap[ch] == 0)
- cap[ch] = p->g->ncategories++;
+ if (cap[(unsigned char) ch] == 0)
+ cap[(unsigned char) ch] = p->g->ncategories++;
}
}
Nick
--
ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907241220.FAA41032>