mirror of
git://sourceware.org/git/glibc.git
synced 2024-11-21 01:12:26 +08:00
Fix array bounds violation in regex matcher (bug 25149)
If the regex has more subexpressions than the number of elements allocated in the regmatch_t array passed to regexec then proceed_next_node may access the regmatch_t array outside its bounds. No testcase added because even without this bug it would then crash in pop_fail_stack which is bug 11053.
This commit is contained in:
parent
2e44b10b42
commit
fc141ea78e
@ -1266,10 +1266,13 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
|
||||
if (type == OP_BACK_REF)
|
||||
{
|
||||
Idx subexp_idx = dfa->nodes[node].opr.idx + 1;
|
||||
naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
|
||||
if (subexp_idx < nregs)
|
||||
naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
|
||||
if (fs != NULL)
|
||||
{
|
||||
if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1)
|
||||
if (subexp_idx >= nregs
|
||||
|| regs[subexp_idx].rm_so == -1
|
||||
|| regs[subexp_idx].rm_eo == -1)
|
||||
return -1;
|
||||
else if (naccepted)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user