View | Details | Raw Unified | Return to bug 23609 | Differences between
and this patch

Collapse All | Expand All

(-)a/ChangeLog (+12 lines)
Lines 1-3 Link Here
1
2018-09-05  Assaf Gordon  <assafgordon@gmail.com>
2
3
	regex: fix heap-use-after-free error
4
	Problem reported by Saito Takaaki <tails.saito@gmail.com> in
5
	https://debbugs.gnu.org/32592
6
	Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
7
	call extend_buffers which reallocates the re_string_t internal buffer.
8
	Local variable 'buf' was not updated in such case, resulting in
9
	use-after-free.
10
	* posix/regexec.c (get_subexp): Update 'buf' after call to
11
	get_subexp_sub.
12
1
2018-09-05  Rafal Luzynski  <digitalfreak@lingonborough.com>
13
2018-09-05  Rafal Luzynski  <digitalfreak@lingonborough.com>
2
14
3
	[BZ #17426]
15
	[BZ #17426]
(-)a/posix/regexec.c (-1 / +1 lines)
Lines 2777-2782 get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx) Link Here
2777
	    return REG_ESPACE;
2777
	    return REG_ESPACE;
2778
	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
2778
	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
2779
				bkref_str_idx);
2779
				bkref_str_idx);
2780
	  buf = (const char *) re_string_get_buffer (&mctx->input);
2780
	  if (err == REG_NOMATCH)
2781
	  if (err == REG_NOMATCH)
2781
	    continue;
2782
	    continue;
2782
	}
2783
	}
2783
- 

Return to bug 23609