On Tue, 10 Dec 2024, enh wrote:
looking at the netbsd regex source, it seems like all accesses to `bmp` _do_ all have appropriate `< NC` range checks, but because wint_t is signed, the checks are wrong for negative values.i think you want something like this patch: diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c index 47602b77f621..2312dbaa947c 100644 --- a/lib/libc/regex/regcomp.c +++ b/lib/libc/regex/regcomp.c @@ -1764,8 +1764,7 @@ CHadd(struct parse *p, cset *cs, wint_t ch) _DIAGASSERT(p != NULL); _DIAGASSERT(cs != NULL); - assert(ch >= 0); - if (ch < NC) + if ((unsigned)ch < NC) cs->bmp[(unsigned)ch >> 3] |= 1 << (ch & 7); else { newwides = reallocarray(cs->wides, cs->nwides + 1, @@ -1778,9 +1777,9 @@ CHadd(struct parse *p, cset *cs, wint_t ch) cs->wides[cs->nwides++] = ch; } if (cs->icase) { - if ((nch = towlower(ch)) < NC) + if ((unsigned)(nch = towlower(ch)) < NC) cs->bmp[(unsigned)nch >> 3] |= 1 << (nch & 7); - if ((nch = towupper(ch)) < NC) + if ((unsigned)(nch = towupper(ch)) < NC) cs->bmp[(unsigned)nch >> 3] |= 1 << (nch & 7); } } diff --git a/lib/libc/regex/regex2.h b/lib/libc/regex/regex2.h index fbfff0daf0f8..ee37044defc9 100644 --- a/lib/libc/regex/regex2.h +++ b/lib/libc/regex/regex2.h @@ -135,8 +135,7 @@ CHIN1(cset *cs, wint_t ch) { unsigned int i; - assert(ch >= 0); - if (ch < NC) + if ((unsigned)ch < NC) return (((cs->bmp[(unsigned)ch >> 3] & (1 << (ch & 7))) != 0) ^ cs->invert); for (i = 0; i < cs->nwides; i++) { @@ -160,8 +159,7 @@ static __inline int CHIN(cset *cs, wint_t ch) { - assert(ch >= 0); - if (ch < NC) + if ((unsigned)ch < NC) return (((cs->bmp[(unsigned)ch >> 3] & (1 << (ch & 7))) != 0) ^ cs->invert); else if (cs->icase)
Thanks! This patch seems to fix PR bin/58092 at least; but, can't provoke the crash in regcomp() as shown... -RVP
