regcomp: Fix off-by-one bug in build_equiv_class [BZ #23396]
authorFlorian Weimer <fweimer@redhat.com>
Fri, 20 Jul 2018 09:58:51 +0000 (11:58 +0200)
committerFlorian Weimer <fweimer@redhat.com>
Fri, 20 Jul 2018 09:58:51 +0000 (11:58 +0200)
This bug is very similar to bug 23036: The existing code assumed that
the length count included the length byte itself.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
ChangeLog
posix/regcomp.c

index b45c83ba2b481f41c1fb5312b0ebaf64b9d72a74..49d1377c683b3d4f3ece74a2f99e6e681af9dc16 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-07-20  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #23396]
+       * posix/regcomp.c (build_equiv_class): When comparing weights, do
+       not compare an extra byte after the end of the weights.
+
 2018-07-20  Samuel Thibault  <samuel.thibault@ens-lyon.org>
 
        * sysdeps/mach/hurd/i386/tls.h (_hurd_tls_init): Set multiple_threads
index 7b5ddaad0cb29ad460997fde31b81ed1c44aed9f..545d188468c376e7d82d3827a922f0fea87a4c0d 100644 (file)
@@ -3531,18 +3531,10 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name)
            continue;
          /* Compare only if the length matches and the collation rule
             index is the same.  */
-         if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24))
-           {
-             int cnt = 0;
-
-             while (cnt <= len &&
-                    weights[(idx1 & 0xffffff) + 1 + cnt]
-                    == weights[(idx2 & 0xffffff) + 1 + cnt])
-               ++cnt;
-
-             if (cnt > len)
-               bitset_set (sbcset, ch);
-           }
+         if (len == weights[idx2 & 0xffffff] && (idx1 >> 24) == (idx2 >> 24)
+             && memcmp (weights + (idx1 & 0xffffff) + 1,
+                        weights + (idx2 & 0xffffff) + 1, len) == 0)
+           bitset_set (sbcset, ch);
        }
       /* Check whether the array has enough space.  */
       if (BE (*equiv_class_alloc == mbcset->nequiv_classes, 0))