picnoir/glibc
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Fix array bounds violation in regex matcher (bug 25149)

Browse source 
If the regex has more subexpressions than the number of elements allocated
in the regmatch_t array passed to regexec then proceed_next_node may
access the regmatch_t array outside its bounds.

No testcase added because even without this bug it would then crash in
pop_fail_stack which is bug 11053.
This commit is contained in:
Andreas Schwab 2019-10-30 10:38:36 +01:00
parent 2e44b10b42
commit fc141ea78e
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
posix/regexec.c
View file

@ -1266,10 +1266,13 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
if (type == OP_BACK_REF)
{
Idx subexp_idx = dfa->nodes[node].opr.idx + 1;
naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
if (subexp_idx < nregs)
naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
if (fs != NULL)
{
if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1)
if (subexp_idx >= nregs
|| regs[subexp_idx].rm_so == -1
|| regs[subexp_idx].rm_eo == -1)
return -1;
else if (naccepted)
{