>From d58391ad0377f0fde07e8f555583bff8125772d3 Mon Sep 17 00:00:00 2001 From: Assaf Gordon Date: Wed, 5 Sep 2018 17:40:28 -0600 Subject: [PATCH] regex: fix heap-use-after-free error Problem reported by Saito Takaaki in https://debbugs.gnu.org/32592 Calling get_subexp() -> get_subexp_sub() -> clean_state_log_if_needed() may call extend_buffers() which reallocates the re_string_t's internal buffer. Local variable 'buf' was not updated in such case, resulting in use-after-free. * regexec.c (get_subexp): Update 'buf' after calling get_subexp_sub. --- ChangeLog | 12 ++++++++++++ lib/regexec.c | 1 + 2 files changed, 13 insertions(+) diff --git a/ChangeLog b/ChangeLog index 23689545a..3cafe2177 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2018-09-05 Assaf Gordon + + regex: fix heap-use-after-free error + Problem reported by Saito Takaaki in + https://debbugs.gnu.org/32592 + Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may + call extend_buffers which reallocates the re_string_t internal buffer. + Local variable 'buf' was not updated in such case, resulting in + use-after-free. + * regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub. + Additionally, check for allocation errors and bail out if needed. + 2018-09-05 Eric Blake doc: mention environ pitfall diff --git a/lib/regexec.c b/lib/regexec.c index 73644c234..61a4ea26d 100644 --- a/lib/regexec.c +++ b/lib/regexec.c @@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx) return REG_ESPACE; err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node, bkref_str_idx); + buf = (const char *) re_string_get_buffer (&mctx->input); if (err == REG_NOMATCH) continue; } -- 2.11.0