RepoMirrors/musl
1
0
Fork 0
mirror of git://git.musl-libc.org/musl synced 2025-01-01 20:12:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix free of uninitialized buffer pointer on error in regexec

Browse Source 
the fix in commit c3edc06d1e for
CVE-2016-8859 used gotos to exit on overflow conditions, but the code
in that error path assumed the buffer pointer was valid or null. thus,
the conditions which previously led to under-allocation and buffer
overflow could instead lead to an invalid pointer being passed to
free.
This commit is contained in:
Rich Felker 2017-03-14 14:18:07 -04:00
parent 6476b81357
commit 6582baa752
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/regex/regexec.c
View File

@ -215,15 +215,15 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
/* Ensure that tbytes and xbytes*num_states cannot overflow, and that
* they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
if (num_tags > SIZE_MAX/(8 * sizeof(regoff_t) * tnfa->num_states))
goto error_exit;
return REG_ESPACE;
/* Likewise check rbytes. */
if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
goto error_exit;
return REG_ESPACE;
/* Likewise check pbytes. */
if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
goto error_exit;
return REG_ESPACE;
/* Compute the length of the block we need. */
tbytes = sizeof(*tmp_tags) * num_tags;