regex fixes coming

regex fixes coming

[Paul Eggert]

Assaf Gordon has been doing heroic work in finding crashes in the regex code, 
and two fixes found as part of that process are ready to go in. I'll follow up 
with copies of proposed patches, one found by his work and one minor cleanup I 
found by code inspection. With luck, Assaf will have more fixes later.

[PATCH 2/2] regex: fix storage-exhaustion error

[Paul Eggert]

[BZ #23610][BZ #18040]
* posix/regexec.c (get_subexp):
Do not continue if storage is exhausted.
---
 ChangeLog       | 7 +++++++
 posix/regexec.c | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index cf69a33d73..0d865c4eae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-09-09  Paul Eggert  <eggert@cs.ucla.edu>
+
+	regex: fix storage-exhaustion error
+	[BZ #23609][BZ #18040]
+	* posix/regexec.c (get_subexp):
+	Do not continue if storage is exhausted.
+
 2018-09-09  Assaf Gordon  <assafgordon@gmail.com>
 
 	regex: fix heap-use-after-free error
diff --git a/posix/regexec.c b/posix/regexec.c
index 61a4ea26d1..0bef862dca 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2780,6 +2780,8 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
+	  if (BE (err != REG_NOERROR, 0))
+	    return err;
 	}
     }
   return REG_NOERROR;
-- 
2.17.1

[PATCH 1/2] regex: fix heap-use-after-free error

[Paul Eggert]

From: Assaf Gordon <assafgordon@gmail.com>

[BZ #23609][BZ #18040]
Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
call extend_buffers which reallocates the re_string_t internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* posix/regexec.c (get_subexp): Update 'buf' after call to
get_subexp_sub.
---
 ChangeLog       | 13 +++++++++++++
 posix/regexec.c |  1 +
 2 files changed, 14 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 611caf9bd8..cf69a33d73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2018-09-09  Assaf Gordon  <assafgordon@gmail.com>
+
+	regex: fix heap-use-after-free error
+	[BZ #23609][BZ #18040]
+	Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+	https://debbugs.gnu.org/32592
+	Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+	call extend_buffers which reallocates the re_string_t internal buffer.
+	Local variable 'buf' was not updated in such case, resulting in
+	use-after-free.
+	* posix/regexec.c (get_subexp): Update 'buf' after call to
+	get_subexp_sub.
+
 2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
 
 	* sysdeps/s390/fpu/libm-test-ulps: Regenerated.
diff --git a/posix/regexec.c b/posix/regexec.c
index 73644c2341..61a4ea26d1 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	    return REG_ESPACE;
 	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
 				bkref_str_idx);
+	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
 	}
-- 
2.17.1