From patchwork Fri Dec  8 09:16:59 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnold Robbins <arnold@skeeve.com>
X-Patchwork-Id: 24808
Received: (qmail 102764 invoked by alias); 8 Dec 2017 09:21:58 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 102648 invoked by uid 89); 8 Dec 2017 09:21:57 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.3 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	KAM_LAZY_DOMAIN_SECURITY, MANY_HDRS_LCASE,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 spammy=adr, ADR,
	HContent-type:text, management
X-HELO: mxout4.netvision.net.il
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
From: Arnold Robbins <arnold@skeeve.com>
Message-id: <201712080916.vB89GxcF005503@skeeve.com>
Date: Fri, 08 Dec 2017 11:16:59 +0200
To: carlos@redhat.com, libc-alpha@sourceware.org
Subject: [PATCH 07/17] Regex: Additional memory management checks.
User-Agent: Heirloom mailx 12.5 6/20/10

This patch adds several small memory management safety checks.
The last one is particularly important.

2017-11-27         Arnold D. Robbins     <arnold@skeeve.com>

	* posix/regcomp.c (analyze): Additional memory management
	safety checks.
	* posix/regexec.c (re_search_internal): Ditto.
	* posix/regex_internal.c (re_node_set_alloc): Ditto.

diff --git a/posix/regcomp.c b/posix/regcomp.c
index c1fd23b..83fcc40 100644
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@@ -1157,7 +1157,11 @@ analyze (regex_t *preg)
 	  || dfa->eclosures == NULL, 0))
     return REG_ESPACE;
 
+  /* some malloc()-checkers don't like zero allocations */
+  if (preg->re_nsub > 0)
   dfa->subexp_map = re_malloc (int, preg->re_nsub);
+  else
+    dfa->subexp_map = NULL;
   if (dfa->subexp_map != NULL)
     {
       int i;
diff --git a/posix/regex_internal.c b/posix/regex_internal.c
index 506ccad..968fd77 100644
--- a/posix/regex_internal.c
+++ b/posix/regex_internal.c
@@ -958,6 +958,16 @@ static reg_errcode_t
 __attribute_warn_unused_result__
 re_node_set_alloc (re_node_set *set, int size)
 {
+  /*
+   * ADR: valgrind says size can be 0, which then doesn't
+   * free the block of size 0.  Harumph. This seems
+   * to work ok, though.
+   */
+  if (size == 0)
+    {
+       memset(set, 0, sizeof(*set));
+       return REG_NOERROR;
+    }
   set->alloc = size;
   set->nelem = 0;
   set->elems = re_malloc (int, size);
diff --git a/posix/regexec.c b/posix/regexec.c
index 2d2bc46..8573765 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -605,7 +605,7 @@ re_search_internal (const regex_t *preg, const char *string, int length,
   nmatch -= extra_nmatch;
 
   /* Check if the DFA haven't been compiled.  */
-  if (BE (preg->used == 0 || dfa->init_state == NULL
+  if (BE (preg->used == 0 || dfa == NULL || dfa->init_state == NULL
 	  || dfa->init_state_word == NULL || dfa->init_state_nl == NULL
 	  || dfa->init_state_begbuf == NULL, 0))
     return REG_NOMATCH;