commit 8f4aa7ddb908369db971d4c31850ca1eef2e3687
author Simon Glass <sjg@chromium.org> Sun Nov 01 14:15:42 2020 -0700
committer Tom Rini <trini@konsulko.com> Tue Dec 01 10:33:38 2020 -0500
tree 5ef13f26cb8fa44ab01dfdb9c51abb609a476303
parent 9528229f22b590cc4b5cf8bf0d3212d2ab08ffd5

setexpr: Correct buffer overflow bug and enable tests

At present when more than one substitution is made this function
overwrites its buffers. Fix this bug and update the tests now that they
can pass.

Also update the debug code to show all substrings, since at present it
omits the final one.

Fixes: 855f18ea0e6 ("setexpr: add regex substring matching and substitution")
Signed-off-by: Simon Glass <sjg@chromium.org>

cmd/setexpr.c

diff --git a/cmd/setexpr.c b/cmd/setexpr.c
index 0cc7cf1..d364dbc 100644
--- a/cmd/setexpr.c
+++ b/cmd/setexpr.c
@@ -155,11 +155,11 @@
 
 		(void) memset(caps, 0, sizeof(caps));
 
-		res = slre_match(&slre, datap, len, caps);
+		res = slre_match(&slre, datap, len - (datap - data), caps);
 
 		debug("Result: %d\n", res);
 
-		for (i = 0; i < slre.num_caps; i++) {
+		for (i = 0; i <= slre.num_caps; i++) {
 			if (caps[i].len > 0) {
 				debug("Substring %d: [%.*s]\n", i,
 					caps[i].len, caps[i].ptr);
@@ -231,7 +231,7 @@
 					break;
 
 				np = substitute(np, &nlen,
-					nbuf_size,
+					nbuf_size - (np - nbuf),
 					backref, 2,
 					caps[i].ptr, caps[i].len);
 
@@ -241,8 +241,8 @@
 		}
 		debug("## SUBST(2) ## %s\n", nbuf);
 
-		datap = substitute(datap, &len, data_size, old, olen,
-				   nbuf, nlen);
+		datap = substitute(datap, &len, data_size - (datap - data),
+				   old, olen, nbuf, nlen);
 
 		if (datap == NULL)
 			return 1;