From f5bf8f9d9f7bd1bd24685ce744ce735e9d4fd387 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 8 Oct 2019 16:03:04 +0200
Subject: fix heap-buffer-overflow using upstream patch

---
 15c4228aa2ffa02140a99912dd3177df0b1841c6.patch | 37 ++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 15c4228aa2ffa02140a99912dd3177df0b1841c6.patch

(limited to '15c4228aa2ffa02140a99912dd3177df0b1841c6.patch')

diff --git a/15c4228aa2ffa02140a99912dd3177df0b1841c6.patch b/15c4228aa2ffa02140a99912dd3177df0b1841c6.patch
new file mode 100644
index 0000000..88dd8e8
--- /dev/null
+++ b/15c4228aa2ffa02140a99912dd3177df0b1841c6.patch
@@ -0,0 +1,37 @@
+From 15c4228aa2ffa02140a99912dd3177df0b1841c6 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kkosako0@gmail.com>
+Date: Fri, 4 Oct 2019 19:54:40 +0900
+Subject: [PATCH] fix #156: Heap buffer overflow in match_at() with
+ case-insensitive match
+
+---
+ src/regcomp.c | 2 +-
+ src/regexec.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/regcomp.c b/src/regcomp.c
+index cd379a2..52f6f01 100644
+--- a/src/regcomp.c
++++ b/src/regcomp.c
+@@ -734,8 +734,8 @@ add_compile_string(UChar* s, int mb_len, int str_len,
+     COP(reg)->exact_n.s = p;
+   }
+   else {
++    xmemset(COP(reg)->exact.s, 0, sizeof(COP(reg)->exact.s));
+     xmemcpy(COP(reg)->exact.s, s, (size_t )byte_len);
+-    COP(reg)->exact.s[byte_len] = '\0';
+   }
+ 
+   return 0;
+diff --git a/src/regexec.c b/src/regexec.c
+index e471491..4bcd8a9 100644
+--- a/src/regexec.c
++++ b/src/regexec.c
+@@ -2889,6 +2889,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
+           DATA_ENSURE(0);
+           q = lowbuf;
+           while (len-- > 0) {
++            if (ps >= endp) goto fail;
+             if (*ps != *q) goto fail;
+             ps++; q++;
+           }
-- 
cgit