fix free of uninitialized buffer pointer on error in regexec

the fix in commit c3edc06d for CVE-2016-8859 used gotos to exit on overflow conditions, but the code in that error path assumed the buffer pointer was valid or null. thus, the conditions which previously led to under-allocation and buffer overflow could instead lead to an invalid pointer being passed to free.

fix free of uninitialized buffer pointer on error in regexec
the fix in commit c3edc06d for CVE-2016-8859 used gotos to exit on overflow conditions, but the code in that error path assumed the buffer pointer was valid or null. thus, the conditions which previously led to under-allocation and buffer overflow could instead lead to an invalid pointer being passed to free.
6582baa7 · Rich Felker · 6476b813 · 6582baa7
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

src/regex/regexec.c src/regex/regexec.c +3 -3

未找到文件。
--- a/src/regex/regexec.c
+++ b/src/regex/regexec.c
@@ -215,15 +215,15 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
    /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
     * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
    if (num_tags > SIZE_MAX/(8 * sizeof(regoff_t) * tnfa->num_states))
-      goto error_exit;
+      return REG_ESPACE;

    /* Likewise check rbytes. */
    if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
-      goto error_exit;
+      return REG_ESPACE;

    /* Likewise check pbytes. */
    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
-      goto error_exit;
+      return REG_ESPACE;

    /* Compute the length of the block we need. */
    tbytes = sizeof(*tmp_tags) * num_tags;