about summary refs log tree commit diff
path: root/src/regex/regcomp.c
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2015-03-20 18:06:04 -0400
committerRich Felker <dalias@aerifal.cx>2015-03-20 18:06:04 -0400
commit39dfd58417ef642307d90306e1c7e50aaec5a35c (patch)
treedc3b7ad2ab421d7bf49faba6274b399d6eea3e08 /src/regex/regcomp.c
parente626deeec8b85713eea364d6504dc4282c773693 (diff)
downloadmusl-39dfd58417ef642307d90306e1c7e50aaec5a35c.tar.gz
musl-39dfd58417ef642307d90306e1c7e50aaec5a35c.tar.xz
musl-39dfd58417ef642307d90306e1c7e50aaec5a35c.zip
fix memory-corruption in regcomp with backslash followed by high byte
the regex parser handles the (undefined) case of an unexpected byte
following a backslash as a literal. however, instead of correctly
decoding a character, it was treating the byte value itself as a
character. this was not only semantically unjustified, but turned out
to be dangerous on archs where plain char is signed: bytes in the
range 252-255 alias the internal codes -4 through -1 used for special
types of literal nodes in the AST.
Diffstat (limited to 'src/regex/regcomp.c')
-rw-r--r--src/regex/regcomp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/regex/regcomp.c b/src/regex/regcomp.c
index 4cdaa1ea..bce6bc15 100644
--- a/src/regex/regcomp.c
+++ b/src/regex/regcomp.c
@@ -847,7 +847,7 @@ static reg_errcode_t parse_atom(tre_parse_ctx_t *ctx, const char *s)
 			} else {
 				/* extension: accept unknown escaped char
 				   as a literal */
-				node = tre_ast_new_literal(ctx->mem, *s, *s, ctx->position);
+				goto parse_literal;
 			}
 			ctx->position++;
 		}