@@ -1,3 +1,16 @@
+2018-09-09 Assaf Gordon <assafgordon@gmail.com>
+
+ regex: fix heap-use-after-free error
+ [BZ #23609][BZ #18040]
+ Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+ https://debbugs.gnu.org/32592
+ Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+ call extend_buffers which reallocates the re_string_t internal buffer.
+ Local variable 'buf' was not updated in such case, resulting in
+ use-after-free.
+ * posix/regexec.c (get_subexp): Update 'buf' after call to
+ get_subexp_sub.
+
2018-09-06 Stefan Liebler <stli@linux.ibm.com>
* sysdeps/s390/fpu/libm-test-ulps: Regenerated.
@@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
return REG_ESPACE;
err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
bkref_str_idx);
+ buf = (const char *) re_string_get_buffer (&mctx->input);
if (err == REG_NOMATCH)
continue;
}
From: Assaf Gordon <assafgordon@gmail.com> [BZ #23609][BZ #18040] Problem reported by Saito Takaaki <tails.saito@gmail.com> in https://debbugs.gnu.org/32592 Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may call extend_buffers which reallocates the re_string_t internal buffer. Local variable 'buf' was not updated in such case, resulting in use-after-free. * posix/regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub. --- ChangeLog | 13 +++++++++++++ posix/regexec.c | 1 + 2 files changed, 14 insertions(+)