Date: Sat, 24 Jul 1999 08:20:02 -0700 (PDT) From: Alexander Viro <viro@math.psu.edu> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/8790: [PATCH] Buffer overrun in nvi-1.79 (exploitable) Message-ID: <199907241520.IAA48907@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/8790; it has been noted by GNATS.
From: Alexander Viro <viro@math.psu.edu>
To: Nick Hibma <nick.hibma@jrc.it>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/8790: [PATCH] Buffer overrun in nvi-1.79 (exploitable)
Date: Sat, 24 Jul 1999 11:08:43 -0400 (EDT)
On Sat, 24 Jul 1999, Nick Hibma wrote:
> p->g->categories is NC*sizeof(cat_t) big, which is 256 bytes. With
> BACKSL being 1<<8 you end up beyond that limit. Me thinks. Possible
> patch (to src/lib/libc/regex/regcomp.c, rev.1.12):
>
> --- regcomp.c Wed Sep 16 10:13:00 1998
> +++ /tmp/regcomp.c Sat Jul 24 14:02:42 1999
> @@ -1043,8 +1043,8 @@
> bothcases(p, ch);
> else {
> EMIT(OCHAR, (unsigned char)ch);
> - if (cap[ch] == 0)
> - cap[ch] = p->g->ncategories++;
> + if (cap[(unsigned char) ch] == 0)
> + cap[(unsigned char) ch] = p->g->ncategories++;
> }
> }
>
>
> Nick
Nope. Note where the cap points to. Your fix will break
everything for characters with 7th bit set. Look: g->categories is
initialized in line 241:
g->categories = &g->catspace[-(CHAR_MIN)];
You need casting to char, not unsigned char here. With that modification
your patch will work, but if you will look at the places where we call
ordinary() you'll see that ch may fall out of the char range only in one
place. Cheaper to cast it there... That's exactly what the patch I've
proposed does.
BTW, last time I checked this bug was in libc too ;-< The same
patch applies - they simply share the code.
Al
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907241520.IAA48907>