077c9d
commit 58559f14437d2aa71753a29fed435efa06aa4576
077c9d
Author: Paul Eggert <eggert@cs.ucla.edu>
077c9d
Date:   Tue Aug 28 21:54:28 2018 +0200
077c9d
077c9d
    regex: fix uninitialized memory access
077c9d
    
077c9d
    I introduced this bug into gnulib in commit
077c9d
    8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10;
077c9d
    eventually it was merged into glibc.  The bug was found by
077c9d
    project-repo <bugs@feusi.co> and reported here:
077c9d
    https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html
077c9d
    Diagnosis and draft fix reported by Assaf Gordon here:
077c9d
    https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html
077c9d
    https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html
077c9d
    * posix/regex_internal.c (build_wcs_upper_buffer):
077c9d
    Fix bug when mbrtowc returns 0.
077c9d
    
077c9d
    (cherry picked from commit bc680b336971305cb39896b30d72dc7101b62242)
077c9d
077c9d
diff --git a/posix/regex_internal.c b/posix/regex_internal.c
077c9d
index 7f0083b918de6530..b10588f1ccbb1992 100644
077c9d
--- a/posix/regex_internal.c
077c9d
+++ b/posix/regex_internal.c
077c9d
@@ -317,7 +317,7 @@ build_wcs_upper_buffer (re_string_t *pstr)
077c9d
 	  mbclen = __mbrtowc (&wc,
077c9d
 			      ((const char *) pstr->raw_mbs + pstr->raw_mbs_idx
077c9d
 			       + byte_idx), remain_len, &pstr->cur_state);
077c9d
-	  if (BE (mbclen < (size_t) -2, 1))
077c9d
+	  if (BE (0 < mbclen && mbclen < (size_t) -2, 1))
077c9d
 	    {
077c9d
 	      wchar_t wcu = __towupper (wc);
077c9d
 	      if (wcu != wc)
077c9d
@@ -386,7 +386,7 @@ build_wcs_upper_buffer (re_string_t *pstr)
077c9d
 	else
077c9d
 	  p = (const char *) pstr->raw_mbs + pstr->raw_mbs_idx + src_idx;
077c9d
 	mbclen = __mbrtowc (&wc, p, remain_len, &pstr->cur_state);
077c9d
-	if (BE (mbclen < (size_t) -2, 1))
077c9d
+	if (BE (0 < mbclen && mbclen < (size_t) -2, 1))
077c9d
 	  {
077c9d
 	    wchar_t wcu = __towupper (wc);
077c9d
 	    if (wcu != wc)