Blame SOURCES/glibc-rh757888.patch

b40826
commit f3a6cc0a560a17f32a3e90d2f20501a53cab6058
b40826
Author: Andreas Schwab <schwab@redhat.com>
b40826
Date:   Tue Nov 29 10:52:22 2011 +0100
b40826
b40826
    Fix access after end of search string in regex matcher
b40826
b40826
diff --git a/locale/weight.h b/locale/weight.h
b40826
index dc70a00..967e176 100644
b40826
--- a/locale/weight.h
b40826
+++ b/locale/weight.h
b40826
@@ -1,4 +1,4 @@
b40826
-/* Copyright (C) 1996,1997,1998,1999,2000,2003,2004 Free Software Foundation, Inc.
b40826
+/* Copyright (C) 1996,1997,1998,1999,2000,2003,2004,2011 Free Software Foundation, Inc.
b40826
    This file is part of the GNU C Library.
b40826
    Written by Ulrich Drepper, <drepper@cygnus.com>.
b40826
 
b40826
@@ -20,7 +20,7 @@
b40826
 /* Find index of weight.  */
b40826
 auto inline int32_t
b40826
 __attribute ((always_inline))
b40826
-findidx (const unsigned char **cpp)
b40826
+findidx (const unsigned char **cpp, size_t len)
b40826
 {
b40826
   int_fast32_t i = table[*(*cpp)++];
b40826
   const unsigned char *cp;
b40826
@@ -34,6 +34,7 @@ findidx (const unsigned char **cpp)
b40826
      Search for the correct one.  */
b40826
   cp = &extra[-i];
b40826
   usrc = *cpp;
b40826
+  --len;
b40826
   while (1)
b40826
     {
b40826
       size_t nhere;
b40826
@@ -56,7 +57,7 @@ findidx (const unsigned char **cpp)
b40826
 	     already.  */
b40826
 	  size_t cnt;
b40826
 
b40826
-	  for (cnt = 0; cnt < nhere; ++cnt)
b40826
+	  for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
b40826
 	    if (cp[cnt] != usrc[cnt])
b40826
 	      break;
b40826
 
b40826
@@ -79,13 +80,13 @@ findidx (const unsigned char **cpp)
b40826
 	  size_t cnt;
b40826
 	  size_t offset = 0;
b40826
 
b40826
-	  for (cnt = 0; cnt < nhere; ++cnt)
b40826
+	  for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
b40826
 	    if (cp[cnt] != usrc[cnt])
b40826
 	      break;
b40826
 
b40826
 	  if (cnt != nhere)
b40826
 	    {
b40826
-	      if (cp[cnt] > usrc[cnt])
b40826
+	      if (cnt == len || cp[cnt] > usrc[cnt])
b40826
 		{
b40826
 		  /* Cannot be in this range.  */
b40826
 		  cp += 2 * nhere;
b40826
diff --git a/locale/weightwc.h b/locale/weightwc.h
b40826
index 9ea1126..7862091 100644
b40826
--- a/locale/weightwc.h
b40826
+++ b/locale/weightwc.h
b40826
@@ -1,4 +1,4 @@
b40826
-/* Copyright (C) 1996-2001,2003,2004,2005,2007 Free Software Foundation, Inc.
b40826
+/* Copyright (C) 1996-2001,2003,2004,2005,2007,2011 Free Software Foundation, Inc.
b40826
    This file is part of the GNU C Library.
b40826
    Written by Ulrich Drepper, <drepper@cygnus.com>.
b40826
 
b40826
@@ -20,7 +20,7 @@
b40826
 /* Find index of weight.  */
b40826
 auto inline int32_t
b40826
 __attribute ((always_inline))
b40826
-findidx (const wint_t **cpp)
b40826
+findidx (const wint_t **cpp, size_t len)
b40826
 {
b40826
   wint_t ch = *(*cpp)++;
b40826
   int32_t i = __collidx_table_lookup ((const char *) table, ch);
b40826
@@ -32,6 +32,7 @@ findidx (const wint_t **cpp)
b40826
   /* Oh well, more than one sequence starting with this byte.
b40826
      Search for the correct one.  */
b40826
   const int32_t *cp = (const int32_t *) &extra[-i];
b40826
+  --len;
b40826
   while (1)
b40826
     {
b40826
       size_t nhere;
b40826
@@ -54,7 +55,7 @@ findidx (const wint_t **cpp)
b40826
 	     already.  */
b40826
 	  size_t cnt;
b40826
 
b40826
-	  for (cnt = 0; cnt < nhere; ++cnt)
b40826
+	  for (cnt = 0; cnt < nhere && cnt < len; ++cnt)
b40826
 	    if (cp[cnt] != usrc[cnt])
b40826
 	      break;
b40826
 
b40826
@@ -75,7 +76,7 @@ findidx (const wint_t **cpp)
b40826
 	  size_t cnt;
b40826
 	  size_t offset;
b40826
 
b40826
-	  for (cnt = 0; cnt < nhere - 1; ++cnt)
b40826
+	  for (cnt = 0; cnt < nhere - 1 && cnt < len; ++cnt)
b40826
 	    if (cp[cnt] != usrc[cnt])
b40826
 	      break;
b40826
 
b40826
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
b40826
index 18a6667..72bd3ee 100644
b40826
--- a/posix/fnmatch_loop.c
b40826
+++ b/posix/fnmatch_loop.c
b40826
@@ -412,7 +412,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
b40826
 			  _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
b40826
 # endif
b40826
 
b40826
-			idx = findidx (&cp;;
b40826
+			idx = findidx (&cp, 1);
b40826
 			if (idx != 0)
b40826
 			  {
b40826
 			    /* We found a table entry.  Now see whether the
b40826
@@ -422,7 +422,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
b40826
 			    int32_t idx2;
b40826
 			    const UCHAR *np = (const UCHAR *) n;
b40826
 
b40826
-			    idx2 = findidx (&np);
b40826
+			    idx2 = findidx (&np, string_end - n);
b40826
 			    if (idx2 != 0
b40826
 				&& (idx >> 24) == (idx2 >> 24)
b40826
 				&& len == weights[idx2 & 0xffffff])
b40826
diff --git a/posix/regcomp.c b/posix/regcomp.c
b40826
index b238c08..34ee845 100644
b40826
--- a/posix/regcomp.c
b40826
+++ b/posix/regcomp.c
b40826
@@ -1,5 +1,5 @@
b40826
 /* Extended regular expression matching and search library.
b40826
-   Copyright (C) 2002-2007,2009,2010 Free Software Foundation, Inc.
b40826
+   Copyright (C) 2002-2007,2009,2010,2011 Free Software Foundation, Inc.
b40826
    This file is part of the GNU C Library.
b40826
    Contributed by Isamu Hasegawa <isamu@yamato.ibm.com>.
b40826
 
b40826
@@ -3409,19 +3409,18 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name)
b40826
 						   _NL_COLLATE_EXTRAMB);
b40826
       indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
b40826
 						_NL_COLLATE_INDIRECTMB);
b40826
-      idx1 = findidx (&cp;;
b40826
-      if (BE (idx1 == 0 || cp < name + strlen ((const char *) name), 0))
b40826
+      idx1 = findidx (&cp, -1);
b40826
+      if (BE (idx1 == 0 || *cp != '\0', 0))
b40826
 	/* This isn't a valid character.  */
b40826
 	return REG_ECOLLATE;
b40826
 
b40826
       /* Build single byte matcing table for this equivalence class.  */
b40826
-      char_buf[1] = (unsigned char) '\0';
b40826
       len = weights[idx1 & 0xffffff];
b40826
       for (ch = 0; ch < SBC_MAX; ++ch)
b40826
 	{
b40826
 	  char_buf[0] = ch;
b40826
 	  cp = char_buf;
b40826
-	  idx2 = findidx (&cp;;
b40826
+	  idx2 = findidx (&cp, 1);
b40826
 /*
b40826
 	  idx2 = table[ch];
b40826
 */
b40826
b40826
--- a/posix/regex_internal.h	2011-11-30 12:47:02.706567482 -0700
b40826
+++ a/posix/regex_internal.h	2011-11-30 12:47:32.969558337 -0700
b40826
@@ -756,7 +756,7 @@
b40826
       indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
b40826
 						_NL_COLLATE_INDIRECTMB);
b40826
       p = pstr->mbs + idx;
b40826
-      tmp = findidx (&p);
b40826
+      tmp = findidx (&p, pstr->len - idx);
b40826
       return p - pstr->mbs - idx;
b40826
     }
b40826
   else
b40826
diff --git a/posix/regexec.c b/posix/regexec.c
b40826
index 9e0c565..3ea810b 100644
b40826
--- a/posix/regexec.c
b40826
+++ b/posix/regexec.c
b40826
@@ -3924,7 +3924,7 @@ check_node_accept_bytes (const re_dfa_t *dfa, int node_idx,
b40826
 		_NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAMB);
b40826
 	      indirect = (const int32_t *)
b40826
 		_NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
b40826
-	      int32_t idx = findidx (&cp;;
b40826
+	      int32_t idx = findidx (&cp, elem_len);
b40826
 	      if (idx > 0)
b40826
 		for (i = 0; i < cset->nequiv_classes; ++i)
b40826
 		  {
b40826
diff --git a/string/strcoll_l.c b/string/strcoll_l.c
b40826
index d8d1139..fb77d08 100644
b40826
--- a/string/strcoll_l.c
b40826
+++ b/string/strcoll_l.c
b40826
@@ -1,4 +1,4 @@
b40826
-/* Copyright (C) 1995-1997,2002,2004,2007,2010 Free Software Foundation, Inc.
b40826
+/* Copyright (C) 1995-1997,2002,2004,2007,2010,2011 Free Software Foundation, Inc.
b40826
    This file is part of the GNU C Library.
b40826
    Written by Ulrich Drepper <drepper@gnu.org>, 1995.
b40826
 
b40826
@@ -205,7 +205,7 @@ STRCOLL (s1, s2, l)
b40826
 
b40826
 		while (*us1 != L('\0'))
b40826
 		  {
b40826
-		    int32_t tmp = findidx (&us1;;
b40826
+		    int32_t tmp = findidx (&us1, -1);
b40826
 		    rule1arr[idx1max] = tmp >> 24;
b40826
 		    idx1arr[idx1max] = tmp & 0xffffff;
b40826
 		    idx1cnt = idx1max++;
b40826
@@ -267,7 +267,7 @@ STRCOLL (s1, s2, l)
b40826
 
b40826
 		while (*us2 != L('\0'))
b40826
 		  {
b40826
-		    int32_t tmp = findidx (&us2;;
b40826
+		    int32_t tmp = findidx (&us2, -1);
b40826
 		    rule2arr[idx2max] = tmp >> 24;
b40826
 		    idx2arr[idx2max] = tmp & 0xffffff;
b40826
 		    idx2cnt = idx2max++;
b40826
diff --git a/string/strxfrm_l.c b/string/strxfrm_l.c
b40826
index 220253c..b06556d 100644
b40826
--- a/string/strxfrm_l.c
b40826
+++ b/string/strxfrm_l.c
b40826
@@ -176,7 +176,7 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l)
b40826
   idxmax = 0;
b40826
   do
b40826
     {
b40826
-      int32_t tmp = findidx (&usrc);
b40826
+      int32_t tmp = findidx (&usrc, -1);
b40826
       rulearr[idxmax] = tmp >> 24;
b40826
       idxarr[idxmax] = tmp & 0xffffff;
b40826