>From 17542682f92da94550e275a58316c9ad96724374 Mon Sep 17 00:00:00 2001
From: Paul Eggert <address@hidden>
Date: Sat, 25 Aug 2018 00:35:05 -0700
Subject: [PATCH] regex: fix uninitialized memory access

Problem and draft fix reported by Assaf Gordon here:
https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html
https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html
I introduced this bug into gnulib in commit
8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10.
* lib/regex_internal.c (build_wcs_upper_buffer):
Fix bug when mbrtowc returns 0.
---
 ChangeLog            | 11 +++++++++++
 lib/regex_internal.c |  4 ++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index acd3e2a05..da711a89d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-08-25  Paul Eggert  <address@hidden>
+
+	regex: fix uninitialized memory access
+	Problem and draft fix reported by Assaf Gordon here:
+	https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html
+	https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html
+	I introduced this bug into gnulib in commit
+	8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10.
+	* lib/regex_internal.c (build_wcs_upper_buffer):
+	Fix bug when mbrtowc returns 0.
+
 2018-08-23  Bruno Haible  <address@hidden>
 
 	getcwd: Add cross-compilation guesses.
diff --git a/lib/regex_internal.c b/lib/regex_internal.c
index 7f0083b91..b10588f1c 100644
--- a/lib/regex_internal.c
+++ b/lib/regex_internal.c
@@ -317,7 +317,7 @@ build_wcs_upper_buffer (re_string_t *pstr)
 	  mbclen = __mbrtowc (&wc,
 			      ((const char *) pstr->raw_mbs + pstr->raw_mbs_idx
 			       + byte_idx), remain_len, &pstr->cur_state);
-	  if (BE (mbclen < (size_t) -2, 1))
+	  if (BE (0 < mbclen && mbclen < (size_t) -2, 1))
 	    {
 	      wchar_t wcu = __towupper (wc);
 	      if (wcu != wc)
@@ -386,7 +386,7 @@ build_wcs_upper_buffer (re_string_t *pstr)
 	else
 	  p = (const char *) pstr->raw_mbs + pstr->raw_mbs_idx + src_idx;
 	mbclen = __mbrtowc (&wc, p, remain_len, &pstr->cur_state);
-	if (BE (mbclen < (size_t) -2, 1))
+	if (BE (0 < mbclen && mbclen < (size_t) -2, 1))
 	  {
 	    wchar_t wcu = __towupper (wc);
 	    if (wcu != wc)
-- 
2.17.1