Bug 23609

Summary: regex backreference heap errors
Product: glibc Reporter: eggert
Component: regexAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED DUPLICATE    
Severity: normal CC: drepper.fsp, fweimer
Priority: P2    
Version: 2.28   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Patch for use-after-free bug, from Assaf Gordon
Patch for heap-exhaustion bug

Description eggert 2018-09-06 07:10:37 UTC
Created attachment 11231 [details]
Patch for use-after-free bug, from Assaf Gordon

In <https://debbugs.gnu.org/32592#14> Saito Takaaki reported that a friend found a bug in GNU sed regex handling, and Assaf Gordon has found that this was due to use-after-free relating to the back-references. Assaf has a fix, which I'm attaching.

In that same thread, Jim Meyering noted <https://debbugs.gnu.org/32592#35> that there was some seemingly-useless code immediately after Assaf's bug fix. I have looked into this, and it turns out that this code does not properly report an error when heap allocation fails; instead, it just trudges onward and does goodness knows what. I'll attach a second patch for this nearby bug.
Comment 1 eggert 2018-09-06 07:11:18 UTC
Created attachment 11232 [details]
Patch for heap-exhaustion bug
Comment 2 eggert 2018-09-06 08:21:19 UTC
Assaf Gordon writes in <https://debbugs.gnu.org/32592#41> that the use-after-free bug was already reported as Bug#18040. The two bug reports should be merged.
Comment 3 eggert 2018-12-15 21:38:02 UTC
As I mentioned in Comment 2, this is the same bug as Bug#18040. Resolving it as a duplicate.

*** This bug has been marked as a duplicate of bug 18040 ***