fix bug: Out of bounds read in onig_strcpy() #17

diff --git a/src/regenc.c b/src/regenc.c
index 01bfd1d16588674d930f397b29b0d2f74d7460ca..11745d30433532c28029090ad0699ea59b70b7c8 100644 (file)
--- a/src/regenc.c
+++ b/src/regenc.c
@@ -108,6 +108,18 @@ onigenc_step_back(OnigEncoding enc, const UChar* start, const UChar* s, int n)
   return (UChar* )s;
 }
 
+extern int
+onigenc_mbc_enc_len_end(OnigEncoding enc, const UChar* p, const UChar* end)
+{
+  int len;
+  int n;
+
+  len = ONIGENC_MBC_ENC_LEN(enc, p);
+  n = (int )(end - p);
+
+  return (n < len ? n : len);
+}
+
 extern UChar*
 onigenc_step(OnigEncoding enc, const UChar* p, const UChar* end, int n)
 {

diff --git a/src/regenc.h b/src/regenc.h
index 65eb17e0edef0381da9fcd17b119563db24fa399..8b53b98bcf17d28dd22b7fc434e7ec48336a6a40 100644 (file)
--- a/src/regenc.h
+++ b/src/regenc.h
@@ -116,6 +116,7 @@ struct PropertyNameCtype {
 #define ONIG_ENCODING_INIT_DEFAULT           ONIG_ENCODING_ASCII
 
 /* for encoding system implementation (internal) */
+ONIG_EXTERN int onigenc_mbc_enc_len_end(OnigEncoding enc, const UChar* p, const UChar* end);
 ONIG_EXTERN int onigenc_ascii_apply_all_case_fold P_((OnigCaseFoldType flag, OnigApplyAllCaseFoldFunc f, void* arg));
 ONIG_EXTERN int onigenc_ascii_get_case_fold_codes_by_str P_((OnigCaseFoldType flag, const OnigUChar* p, const OnigUChar* end, OnigCaseFoldCodeItem items[]));
 ONIG_EXTERN int onigenc_apply_all_case_fold_with_map P_((int map_size, const OnigPairCaseFoldCodes map[], int ess_tsett_flag, OnigCaseFoldType flag, OnigApplyAllCaseFoldFunc f, void* arg));
@@ -227,6 +228,8 @@ ONIG_EXTERN const UChar  OnigEncAsciiToLowerCaseTable[];
 ONIG_EXTERN const UChar  OnigEncAsciiToUpperCaseTable[];
 ONIG_EXTERN const unsigned short OnigEncAsciiCtypeTable[];
 
+#define ONIGENC_MBC_ENC_LEN_END(enc,p,end)   onigenc_mbc_enc_len_end(enc, p, end)
+
 #define ONIGENC_IS_ASCII_CODE(code)  ((code) < 0x80)
 #define ONIGENC_ASCII_CODE_TO_LOWER_CASE(c) OnigEncAsciiToLowerCaseTable[c]
 #define ONIGENC_ASCII_CODE_TO_UPPER_CASE(c) OnigEncAsciiToUpperCaseTable[c]

diff --git a/src/regparse.c b/src/regparse.c
index a32ab9e411d74189b4446590996428e689e0b2c2..44cbfcc15636b886332e52f128ca1a7a2db06bc0 100644 (file)
--- a/src/regparse.c
+++ b/src/regparse.c
@@ -26,7 +26,6 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-
 #include "regparse.h"
 #include "st.h"
 
@@ -267,7 +266,7 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
 #define PFETCH(c)  do { \
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
   pfetch_prev = p; \
-  p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  p += ONIGENC_MBC_ENC_LEN_END(enc, p, end); \
 } while (0)
 
 #define PINC_S     do { \
@@ -275,7 +274,7 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
 } while (0)
 #define PFETCH_S(c) do { \
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
-  p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  p += ONIGENC_MBC_ENC_LEN_END(enc, p, end); \
 } while (0)
 
 #define PPEEK        (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
@@ -5310,6 +5309,11 @@ onig_parse_make_tree(Node** root, const UChar* pattern, const UChar* end,
   env->pattern_end    = (UChar* )end;
   env->reg            = reg;
 
+#ifdef DEBUG_OOB
+  fprintf(stderr, "onig_parse_make_tree: %p - %p, %d\n", pattern, end,
+          (int )(end - pattern));
+#endif
+
   *root = NULL;
   p = (UChar* )pattern;
   r = parse_regexp(root, &p, (UChar* )end, env);