From d149fa4fd4e507b3bd3c2510157e1c6864c8f2d2 Mon Sep 17 00:00:00 2001
From: pfg <pfg@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Sat, 4 Nov 2017 14:45:36 +0000
Subject: [PATCH] MFC r325066: Fix out-of-bounds read in libc/regex.

The bug is an out-of-bounds read detected with address sanitizer that
happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's
equal to "GS\x00". In that case len will be equal to 4, and the
strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the
cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.

Checking the length using strlen() instead eliminates the issue.

The bug was found in LLVM with oss-fuzz:
	https://reviews.llvm.org/D39380

Obtained from:	Vlad Tsyrklevich through posting on openbsd-tech


git-svn-id: svn://svn.freebsd.org/base/stable/10@325394 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 lib/libc/regex/regcomp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c
index 1e231fb03..49479961b 100644
--- a/lib/libc/regex/regcomp.c
+++ b/lib/libc/regex/regcomp.c
@@ -922,7 +922,7 @@ p_b_coll_elem(struct parse *p,
 	}
 	len = p->next - sp;
 	for (cp = cnames; cp->name != NULL; cp++)
-		if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
+		if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len)
 			return(cp->code);	/* known name */
 	memset(&mbs, 0, sizeof(mbs));
 	if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len)
-- 
2.42.0