Summary:
Original oss-fuzz report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3727#c2
The minimized test case that causes this failure:
5b 5b 5b 3d 47 53 00 5b 3d 5d 5b 5d 0a [[[=GS.[=][].
Note the string "=GS\x00". The failure happens because the code is
searching the string against an array of known collated names. "GS\x00"
is a hit, but since len takes into account an extra NUL byte, indexing
into cp->name[len] goes one byte past it's allocated memory. Fix this to
use a strlen(cp->name) comparison to account for NUL bytes in the input.
Reviewers: pcc
Reviewed By: pcc
Subscribers: hctim, kcc
Differential Revision: https://reviews.llvm.org/D39380
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@316786
91177308-0d34-0410-b5e6-
96231b3b80d8
{
char *sp = p->next;
struct cname *cp;
- int len;
+ size_t len;
while (MORE() && !SEETWO(endc, ']'))
NEXT();
}
len = p->next - sp;
for (cp = cnames; cp->name != NULL; cp++)
- if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
+ if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len)
return(cp->code); /* known name */
if (len == 1)
return(*sp); /* single character */
EXPECT_FALSE(r1.match("X"));
}
+// https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3727
+TEST_F(RegexTest, OssFuzz3727Regression) {
+ // Wrap in a StringRef so the NUL byte doesn't terminate the string
+ Regex r(StringRef("[[[=GS\x00[=][", 10));
+ std::string Error;
+ EXPECT_FALSE(r.isValid(Error));
+}
+
}