From d5245cc71c67b66e42ee7efb29ae582253b94720 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Feb 02 2021 14:25:51 +0000 Subject: Resolves: #1919775 - expr: fix invalid read with unmatched \(...\) --- diff --git a/coreutils-8.32-expr-unmatched-par.patch b/coreutils-8.32-expr-unmatched-par.patch new file mode 100644 index 0000000..1a82384 --- /dev/null +++ b/coreutils-8.32-expr-unmatched-par.patch @@ -0,0 +1,81 @@ +From 9618fb718b75920f37e5be2049ad1d0bb5c4a28c Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Tue, 26 Jan 2021 09:23:54 -0800 +Subject: [PATCH] expr: fix bug with unmatched \(...\) + +Problem reported by Qiuhao Li. +* doc/coreutils.texi (String expressions): +Document the correct behavior, which POSIX requires. +* src/expr.c (docolon): Treat unmatched \(...\) as empty. +* tests/misc/expr.pl: New test. + +Upstream-commit: 735083ba24878075235007b4417982ad5700436d +Signed-off-by: Kamil Dudka +--- + doc/coreutils.texi | 14 ++++++++------ + src/expr.c | 9 +++++++-- + tests/misc/expr.pl | 3 +++ + 3 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/doc/coreutils.texi b/doc/coreutils.texi +index 2382a16..5b2bb2c 100644 +--- a/doc/coreutils.texi ++++ b/doc/coreutils.texi +@@ -13529,12 +13529,14 @@ second is considered to be a (basic, a la GNU @code{grep}) regular + expression, with a @code{^} implicitly prepended. The first argument is + then matched against this regular expression. + +-If the match succeeds and @var{regex} uses @samp{\(} and @samp{\)}, the +-@code{:} expression returns the part of @var{string} that matched the +-subexpression; otherwise, it returns the number of characters matched. +- +-If the match fails, the @code{:} operator returns the null string if +-@samp{\(} and @samp{\)} are used in @var{regex}, otherwise 0. ++If @var{regex} does not use @samp{\(} and @samp{\)}, the @code{:} ++expression returns the number of characters matched, or 0 if the match ++fails. ++ ++If @var{regex} uses @samp{\(} and @samp{\)}, the @code{:} expression ++returns the part of @var{string} that matched the subexpression, or ++the null string if the match failed or the subexpression did not ++contribute to the match. + + @kindex \( @r{regexp operator} + Only the first @samp{\( @dots{} \)} pair is relevant to the return +diff --git a/src/expr.c b/src/expr.c +index e134872..0616a42 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -721,8 +721,13 @@ docolon (VALUE *sv, VALUE *pv) + /* Were \(...\) used? */ + if (re_buffer.re_nsub > 0) + { +- sv->u.s[re_regs.end[1]] = '\0'; +- v = str_value (sv->u.s + re_regs.start[1]); ++ if (re_regs.end[1] < 0) ++ v = str_value (""); ++ else ++ { ++ sv->u.s[re_regs.end[1]] = '\0'; ++ v = str_value (sv->u.s + re_regs.start[1]); ++ } + } + else + { +diff --git a/tests/misc/expr.pl b/tests/misc/expr.pl +index e45f8e7..e57f79d 100755 +--- a/tests/misc/expr.pl ++++ b/tests/misc/expr.pl +@@ -84,6 +84,9 @@ my @Tests = + # In 5.94 and earlier, anchors incorrectly matched newlines. + ['anchor', "'a\nb' : 'a\$'", {OUT => '0'}, {EXIT => 1}], + ++ # In 8.32, \( ... \) that did not match caused memory errors. ++ ['emptysub', '"a" : "\\(b\\)*"', {OUT => ''}, {EXIT => 1}], ++ + # These tests are taken from grep/tests/bre.tests. + ['bre1', '"abc" : "a\\(b\\)c"', {OUT => 'b'}], + ['bre2', '"a(" : "a("', {OUT => '2'}], +-- +2.26.2 + diff --git a/coreutils.spec b/coreutils.spec index d6980da..3f2be33 100644 --- a/coreutils.spec +++ b/coreutils.spec @@ -1,7 +1,7 @@ Summary: A set of basic GNU tools commonly used in shell scripts Name: coreutils Version: 8.32 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv3+ Url: https://www.gnu.org/software/coreutils/ Source0: https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz @@ -31,6 +31,9 @@ Patch5: coreutils-8.32-new-fs-types.patch # rm: do not skip files upon failure to remove an empty dir (#1905481) Patch6: coreutils-8.32-rm-stray-skip.patch +# expr: fix invalid read with unmatched \(...\) (#1919775) +Patch7: coreutils-8.32-expr-unmatched-par.patch + # disable the test-lock gnulib test prone to deadlock Patch100: coreutils-8.26-test-lock.patch @@ -284,6 +287,9 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir %license COPYING %changelog +* Tue Feb 02 2021 Kamil Dudka - 8.32-17 +- expr: fix invalid read with unmatched \(...\) (#1919775) + * Tue Jan 26 2021 Fedora Release Engineering - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild