From owner-freebsd-bugs Sat Jul 24 5:22:13 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8AB961505A for ; Sat, 24 Jul 1999 05:22:11 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id FAA41032; Sat, 24 Jul 1999 05:20:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Sat, 24 Jul 1999 05:20:01 -0700 (PDT) Message-Id: <199907241220.FAA41032@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Nick Hibma Subject: Re: bin/8790: [PATCH] Buffer overrun in nvi-1.79 (exploitable) Reply-To: Nick Hibma Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/8790; it has been noted by GNATS. From: Nick Hibma To: freebsd-gnats-submit@freebsd.org, viro@math.psu.edu Cc: Subject: Re: bin/8790: [PATCH] Buffer overrun in nvi-1.79 (exploitable) Date: Sat, 24 Jul 1999 14:07:16 +0200 The problem is probably in ordinary(): static void ordinary(p, ch) register struct parse *p; register int ch; { register cat_t *cap = p->g->categories; if ((p->g->cflags®_ICASE) && isalpha((unsigned char)ch) && othercase(ch) != ch) bothcases(p, ch); else { EMIT(OCHAR, (unsigned char)ch); if (cap[ch] == 0) cap[ch] = p->g->ncategories++; } } p->g->categories is NC*sizeof(cat_t) big, which is 256 bytes. With BACKSL being 1<<8 you end up beyond that limit. Me thinks. Possible patch (to src/lib/libc/regex/regcomp.c, rev.1.12): --- regcomp.c Wed Sep 16 10:13:00 1998 +++ /tmp/regcomp.c Sat Jul 24 14:02:42 1999 @@ -1043,8 +1043,8 @@ bothcases(p, ch); else { EMIT(OCHAR, (unsigned char)ch); - if (cap[ch] == 0) - cap[ch] = p->g->ncategories++; + if (cap[(unsigned char) ch] == 0) + cap[(unsigned char) ch] = p->g->ncategories++; } } Nick -- ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message