This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.28.9000-399-gef202e5
- From: eggert at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 16 Dec 2018 15:08:33 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.28.9000-399-gef202e5
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via ef202e530c2384d6a47951ed1c6b63ed945e462f (commit)
via 077caf61d867d4cab49b5aa42da1611868596fe7 (commit)
from 0c1719e65b2a5a80331d4f635612799f853b0479 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ef202e530c2384d6a47951ed1c6b63ed945e462f
commit ef202e530c2384d6a47951ed1c6b63ed945e462f
Author: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed Sep 5 23:57:08 2018 -0700
regex: fix storage-exhaustion error
[BZ #18040]
* posix/regexec.c (get_subexp):
Do not continue if storage is exhausted.
diff --git a/ChangeLog b/ChangeLog
index 2fef13e..e0e7a74 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-12-15 Paul Eggert <eggert@cs.ucla.edu>
+
+ regex: fix storage-exhaustion error
+ [BZ #18040]
+ * posix/regexec.c (get_subexp):
+ Do not continue if storage is exhausted.
+
2018-12-15 Assaf Gordon <assafgordon@gmail.com>
regex: fix heap-use-after-free error
diff --git a/posix/regexec.c b/posix/regexec.c
index a29e8ad..ecb430d 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2786,6 +2786,8 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
buf = (const char *) re_string_get_buffer (&mctx->input);
if (err == REG_NOMATCH)
continue;
+ if (__glibc_unlikely (err != REG_NOERROR))
+ return err;
}
}
return REG_NOERROR;
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=077caf61d867d4cab49b5aa42da1611868596fe7
commit 077caf61d867d4cab49b5aa42da1611868596fe7
Author: Assaf Gordon <assafgordon@gmail.com>
Date: Wed Sep 5 23:25:07 2018 -0700
regex: fix heap-use-after-free error
[BZ #18040]
Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
call extend_buffers which reallocates the re_string_t internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* posix/regexec.c (get_subexp): Update 'buf' after call to
get_subexp_sub.
diff --git a/ChangeLog b/ChangeLog
index 90e9f8f..2fef13e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2018-12-15 Assaf Gordon <assafgordon@gmail.com>
+
+ regex: fix heap-use-after-free error
+ [BZ #18040]
+ Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+ https://debbugs.gnu.org/32592
+ Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+ call extend_buffers which reallocates the re_string_t internal buffer.
+ Local variable 'buf' was not updated in such case, resulting in
+ use-after-free.
+ * posix/regexec.c (get_subexp): Update 'buf' after call to
+ get_subexp_sub.
+
2018-12-15 Florian Weimer <fweimer@redhat.com>
* support/blob_repeat.c (check_mul_overflow_size_t): New function.
diff --git a/posix/regexec.c b/posix/regexec.c
index c3e6a5b..a29e8ad 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2783,6 +2783,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
return REG_ESPACE;
err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
bkref_str_idx);
+ buf = (const char *) re_string_get_buffer (&mctx->input);
if (err == REG_NOMATCH)
continue;
}
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 20 ++++++++++++++++++++
posix/regexec.c | 3 +++
2 files changed, 23 insertions(+), 0 deletions(-)
hooks/post-receive
--
GNU C Library master sources