diff mbox

[INSTALLED,1/2] regex: fix heap-use-after-free error

Message ID 20181216151105.31863-1-eggert@cs.ucla.edu
State New, archived
Headers

Commit Message

Paul Eggert Dec. 16, 2018, 3:11 p.m. UTC 
  From: Assaf Gordon <assafgordon@gmail.com>

[BZ #18040]
Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
call extend_buffers which reallocates the re_string_t internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* posix/regexec.c (get_subexp): Update 'buf' after call to
get_subexp_sub.
---
 ChangeLog       | 13 +++++++++++++
 posix/regexec.c |  1 +
 2 files changed, 14 insertions(+)
diff mbox

Patch

diff --git a/ChangeLog b/ChangeLog
index 90e9f8f2d2..2fef13ec02 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@ 
+2018-12-15  Assaf Gordon  <assafgordon@gmail.com>
+
+	regex: fix heap-use-after-free error
+	[BZ #18040]
+	Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+	https://debbugs.gnu.org/32592
+	Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+	call extend_buffers which reallocates the re_string_t internal buffer.
+	Local variable 'buf' was not updated in such case, resulting in
+	use-after-free.
+	* posix/regexec.c (get_subexp): Update 'buf' after call to
+	get_subexp_sub.
+
 2018-12-15  Florian Weimer  <fweimer@redhat.com>
 
 	* support/blob_repeat.c (check_mul_overflow_size_t): New function.
diff --git a/posix/regexec.c b/posix/regexec.c
index c3e6a5b8cb..a29e8ad1ff 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2783,6 +2783,7 @@  get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	    return REG_ESPACE;
 	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
 				bkref_str_idx);
+	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
 	}