regex: fix heap-use-after-free error

[BZ #18040] Problem reported by Saito Takaaki <tails.saito@gmail.com> in https://debbugs.gnu.org/32592 Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may call extend_buffers which reallocates the re_string_t internal buffer. Local variable 'buf' was not updated in such case, resulting in use-after-free. * posix/regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub.
author: Assaf Gordon <assafgordon@gmail.com> 2018-09-05 23:25:07 -0700
committer: Paul Eggert <eggert@cs.ucla.edu> 2018-12-16 07:08:29 -0800
commit: 077caf61d867d4cab49b5aa42da1611868596fe7 (patch)
tree: 870ea6314a4cb90d4db2b91eca8f100c6cf6b688 /posix/regexec.c
parent: 0c1719e65b2a5a80331d4f635612799f853b0479 (diff)
download: glibc-077caf61d867d4cab49b5aa42da1611868596fe7.tar.gz
glibc-077caf61d867d4cab49b5aa42da1611868596fe7.tar.xz
glibc-077caf61d867d4cab49b5aa42da1611868596fe7.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/posix/regexec.c b/posix/regexec.c
index c3e6a5b8cb..a29e8ad1ff 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2783,6 +2783,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	    return REG_ESPACE;
 	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
 				bkref_str_idx);
+	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
 	}
author	Assaf Gordon <assafgordon@gmail.com>	2018-09-05 23:25:07 -0700
committer	Paul Eggert <eggert@cs.ucla.edu>	2018-12-16 07:08:29 -0800
commit	077caf61d867d4cab49b5aa42da1611868596fe7 (patch)
tree	870ea6314a4cb90d4db2b91eca8f100c6cf6b688 /posix/regexec.c
parent	0c1719e65b2a5a80331d4f635612799f853b0479 (diff)
download	glibc-077caf61d867d4cab49b5aa42da1611868596fe7.tar.gz glibc-077caf61d867d4cab49b5aa42da1611868596fe7.tar.xz glibc-077caf61d867d4cab49b5aa42da1611868596fe7.zip