[PATCH 1/2] regex: fix free_fail_stack undefined behavior

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/2] regex: fix free_fail_stack undefined behavior

From:	Paul Eggert
Subject:	[PATCH 1/2] regex: fix free_fail_stack undefined behavior
Date:	Fri, 11 Mar 2022 13:35:39 -0800

* lib/regexec.c (push_fail_stack): Don’t increment number of
re_fail_stack_t entries until after successful allocation.  This
prevents a crash if re_realloc or re_malloc fails here, and a
later free_fail_stack examines regs or a later pop_fail_stack
examines node.  Problem discovered by Coverity scan sent
2022-03-11 11:03:52Z.
---
 ChangeLog     | 10 ++++++++++
 lib/regexec.c |  5 +++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7713294982..50f60c6372 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2022-03-11  Paul Eggert  <eggert@cs.ucla.edu>
+
+       regex: fix free_fail_stack undefined behavior
+       * lib/regexec.c (push_fail_stack): Don’t increment number of
+       re_fail_stack_t entries until after successful allocation.  This
+       prevents a crash if re_realloc or re_malloc fails here, and a
+       later free_fail_stack examines regs or a later pop_fail_stack
+       examines node.  Problem discovered by Coverity scan sent
+       2022-03-11 11:03:52Z.
+
 2022-03-10  Paul Eggert  <eggert@cs.ucla.edu>
 
        fts: revert change to use AT_NO_AUTOMOUNT
diff --git a/lib/regexec.c b/lib/regexec.c
index aea1e7da52..0691e91e1e 100644
--- a/lib/regexec.c
+++ b/lib/regexec.c
@@ -1308,8 +1308,8 @@ push_fail_stack (struct re_fail_stack_t *fs, Idx str_idx, 
Idx dest_node,
                 re_node_set *eps_via_nodes)
 {
   reg_errcode_t err;
-  Idx num = fs->num++;
-  if (fs->num == fs->alloc)
+  Idx num = fs->num;
+  if (num + 1 == fs->alloc)
     {
       struct re_fail_stack_ent_t *new_array;
       new_array = re_realloc (fs->stack, struct re_fail_stack_ent_t,
@@ -1324,6 +1324,7 @@ push_fail_stack (struct re_fail_stack_t *fs, Idx str_idx, 
Idx dest_node,
   fs->stack[num].regs = re_malloc (regmatch_t, 2 * nregs);
   if (fs->stack[num].regs == NULL)
     return REG_ESPACE;
+  fs->num = num + 1;
   memcpy (fs->stack[num].regs, regs, sizeof (regmatch_t) * nregs);
   memcpy (fs->stack[num].regs + nregs, prevregs, sizeof (regmatch_t) * nregs);
   err = re_node_set_init_copy (&fs->stack[num].eps_via_nodes, eps_via_nodes);
-- 
2.35.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 1/2] regex: fix free_fail_stack undefined behavior, Paul Eggert <=
- [PATCH 2/2] regex: fix minor over-allocation, Paul Eggert, 2022/03/11

Prev by Date: Re: [PATCH] fix descriptions for AT_NO_AUTOMOUNT
Next by Date: [PATCH 2/2] regex: fix minor over-allocation
Previous by thread: Re: [PATCH] sigsegv: Fix build on ppc/musl
Next by thread: [PATCH 2/2] regex: fix minor over-allocation
Index(es):
- Date
- Thread