fix memory-corruption in regcomp with backslash followed by high byte

the regex parser handles the (undefined) case of an unexpected byte following a backslash as a literal. however, instead of correctly decoding a character, it was treating the byte value itself as a character. this was not only semantically unjustified, but turned out to be dangerous on archs where plain char is signed: bytes in the range 252-255 alias the internal codes -4 through -1 used for special types of literal nodes in the AST.

fix memory-corruption in regcomp with backslash followed by high byte
the regex parser handles the (undefined) case of an unexpected byte following a backslash as a literal. however, instead of correctly decoding a character, it was treating the byte value itself as a character. this was not only semantically unjustified, but turned out to be dangerous on archs where plain char is signed: bytes in the range 252-255 alias the internal codes -4 through -1 used for special types of literal nodes in the AST.
39dfd584 · Rich Felker · e626deee · 39dfd584
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

src/regex/regcomp.c src/regex/regcomp.c +1 -1

未找到文件。
--- a/src/regex/regcomp.c
+++ b/src/regex/regcomp.c
@@ -847,7 +847,7 @@ static reg_errcode_t parse_atom(tre_parse_ctx_t *ctx, const char *s)
 			} else {
 				/* extension: accept unknown escaped char
 				   as a literal */
-				node = tre_ast_new_literal(ctx->mem, *s, *s, ctx->position);
+				goto parse_literal;
 			}
 			ctx->position++;
 		}