Fix stack-buffer-overflow in parse_regex due to missing bounds checks (#1486)

Fixes: https://issues.oss-fuzz.com/issues/388922799
2025-10-19 10:23:17 +00:00 · 2025-04-25 01:03:26 +05:30 · 2025-04-25 01:03:26 +05:30 · 41aa292e97
commit 41aa292e97
parent 00886ee90d
1 changed files with 2 additions and 1 deletions
--- a/libclamav/regex_suffix.c
+++ b/libclamav/regex_suffix.c
@ -274,7 +274,7 @@ static struct node *parse_regex(const uint8_t *p, const size_t pSize, size_t *la
    struct node *right;
    struct node *tmp;

-    while (p[*last] != '$' && p[*last] != '\0') {
+    while (*last < pSize && p[*last] != '$' && p[*last] != '\0') {
        switch (p[*last]) {
            case '|':
                ++*last;
@ -356,6 +356,7 @@ static struct node *parse_regex(const uint8_t *p, const size_t pSize, size_t *la
                ++*last;
                /* fall-through */
            default:
+                if (*last >= pSize) break;
                right = make_leaf(p[*last]);
                v     = make_node(concat, v, right);
                if (!v) {