* [INSTALLED 1/2] regex: fix heap-use-after-free error
@ 2018-12-16 15:11 Paul Eggert
2018-12-16 18:22 ` [INSTALLED 2/2] regex: fix storage-exhaustion error Paul Eggert
0 siblings, 1 reply; 2+ messages in thread
From: Paul Eggert @ 2018-12-16 15:11 UTC (permalink / raw)
To: libc-alpha; +Cc: Assaf Gordon
From: Assaf Gordon <assafgordon@gmail.com>
[BZ #18040]
Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
call extend_buffers which reallocates the re_string_t internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* posix/regexec.c (get_subexp): Update 'buf' after call to
get_subexp_sub.
---
ChangeLog | 13 +++++++++++++
posix/regexec.c | 1 +
2 files changed, 14 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 90e9f8f2d2..2fef13ec02 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2018-12-15 Assaf Gordon <assafgordon@gmail.com>
+
+ regex: fix heap-use-after-free error
+ [BZ #18040]
+ Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+ https://debbugs.gnu.org/32592
+ Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+ call extend_buffers which reallocates the re_string_t internal buffer.
+ Local variable 'buf' was not updated in such case, resulting in
+ use-after-free.
+ * posix/regexec.c (get_subexp): Update 'buf' after call to
+ get_subexp_sub.
+
2018-12-15 Florian Weimer <fweimer@redhat.com>
* support/blob_repeat.c (check_mul_overflow_size_t): New function.
diff --git a/posix/regexec.c b/posix/regexec.c
index c3e6a5b8cb..a29e8ad1ff 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2783,6 +2783,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
return REG_ESPACE;
err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
bkref_str_idx);
+ buf = (const char *) re_string_get_buffer (&mctx->input);
if (err == REG_NOMATCH)
continue;
}
--
2.19.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [INSTALLED 2/2] regex: fix storage-exhaustion error
2018-12-16 15:11 [INSTALLED 1/2] regex: fix heap-use-after-free error Paul Eggert
@ 2018-12-16 18:22 ` Paul Eggert
0 siblings, 0 replies; 2+ messages in thread
From: Paul Eggert @ 2018-12-16 18:22 UTC (permalink / raw)
To: libc-alpha; +Cc: Paul Eggert
[BZ #18040]
* posix/regexec.c (get_subexp):
Do not continue if storage is exhausted.
---
ChangeLog | 7 +++++++
posix/regexec.c | 2 ++
2 files changed, 9 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 2fef13ec02..e0e7a74011 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-12-15 Paul Eggert <eggert@cs.ucla.edu>
+
+ regex: fix storage-exhaustion error
+ [BZ #18040]
+ * posix/regexec.c (get_subexp):
+ Do not continue if storage is exhausted.
+
2018-12-15 Assaf Gordon <assafgordon@gmail.com>
regex: fix heap-use-after-free error
diff --git a/posix/regexec.c b/posix/regexec.c
index a29e8ad1ff..ecb430d302 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2786,6 +2786,8 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
buf = (const char *) re_string_get_buffer (&mctx->input);
if (err == REG_NOMATCH)
continue;
+ if (__glibc_unlikely (err != REG_NOERROR))
+ return err;
}
}
return REG_NOERROR;
--
2.19.2
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-12-16 15:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-16 15:11 [INSTALLED 1/2] regex: fix heap-use-after-free error Paul Eggert
2018-12-16 18:22 ` [INSTALLED 2/2] regex: fix storage-exhaustion error Paul Eggert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).