From fc141ea78ee3d87c67b18488827fe2d89c9343e7 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Wed, 30 Oct 2019 10:38:36 +0100 Subject: [PATCH] Fix array bounds violation in regex matcher (bug 25149) If the regex has more subexpressions than the number of elements allocated in the regmatch_t array passed to regexec then proceed_next_node may access the regmatch_t array outside its bounds. No testcase added because even without this bug it would then crash in pop_fail_stack which is bug 11053. --- posix/regexec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/posix/regexec.c b/posix/regexec.c index 3c46ac81dd..38b6d6719a 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -1266,10 +1266,13 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, if (type == OP_BACK_REF) { Idx subexp_idx = dfa->nodes[node].opr.idx + 1; - naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so; + if (subexp_idx < nregs) + naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so; if (fs != NULL) { - if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1) + if (subexp_idx >= nregs + || regs[subexp_idx].rm_so == -1 + || regs[subexp_idx].rm_eo == -1) return -1; else if (naccepted) { -- 2.43.5