summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2017-03-14 14:18:07 -0400
committerRich Felker <dalias@aerifal.cx>2017-03-14 14:18:07 -0400
commit6582baa752a8facb2c8a7b5b3dcf67331429cdc1 (patch)
tree802e86d8e31c86bc924b20084144ec34a4438629
parent6476b8135760659b25c93ff9308425ca98a9e777 (diff)
downloadmusl-6582baa752a8facb2c8a7b5b3dcf67331429cdc1.tar.gz
musl-6582baa752a8facb2c8a7b5b3dcf67331429cdc1.tar.bz2
musl-6582baa752a8facb2c8a7b5b3dcf67331429cdc1.tar.xz
musl-6582baa752a8facb2c8a7b5b3dcf67331429cdc1.zip
fix free of uninitialized buffer pointer on error in regexec
the fix in commit c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 for CVE-2016-8859 used gotos to exit on overflow conditions, but the code in that error path assumed the buffer pointer was valid or null. thus, the conditions which previously led to under-allocation and buffer overflow could instead lead to an invalid pointer being passed to free.
-rw-r--r--src/regex/regexec.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/regex/regexec.c b/src/regex/regexec.c
index 5c4cb922..253b0e14 100644
--- a/src/regex/regexec.c
+++ b/src/regex/regexec.c
@@ -215,15 +215,15 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
/* Ensure that tbytes and xbytes*num_states cannot overflow, and that
* they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
if (num_tags > SIZE_MAX/(8 * sizeof(regoff_t) * tnfa->num_states))
- goto error_exit;
+ return REG_ESPACE;
/* Likewise check rbytes. */
if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
- goto error_exit;
+ return REG_ESPACE;
/* Likewise check pbytes. */
if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
- goto error_exit;
+ return REG_ESPACE;
/* Compute the length of the block we need. */
tbytes = sizeof(*tmp_tags) * num_tags;