Fix bad pointer / leak in regex code

This was found by Coverity (CID 1484201).  [BZ#24844]
* posix/regex_internal.c (create_cd_newstate): Fix use of bad
pointer and/or memory leak when storage is exhausted.

2 files changed, 14 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 5e07cee941..2db09d2f18 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2019-08-21  Paul Eggert  <eggert@cs.ucla.edu>
+
+	Fix bad pointer / leak in regex code
+	This was found by Coverity (CID 1484201).  [BZ#24844]
+	* posix/regex_internal.c (create_cd_newstate): Fix use of bad
+	pointer and/or memory leak when storage is exhausted.
+
 2019-08-21  Zack Weinberg  <zackw@panix.com>
 
 	* misc/syslog.c (__vsyslog_internal)
diff --git a/posix/regex_internal.c b/posix/regex_internal.c
index 9004ce809e..f53ded93a8 100644
--- a/posix/regex_internal.c
+++ b/posix/regex_internal.c
@@ -1716,15 +1716,19 @@ create_cd_newstate (const re_dfa_t *dfa, const re_node_set *nodes,
 	{
 	  if (newstate->entrance_nodes == &newstate->nodes)
 	    {
-	      newstate->entrance_nodes = re_malloc (re_node_set, 1);
-	      if (__glibc_unlikely (newstate->entrance_nodes == NULL))
+	      re_node_set *entrance_nodes = re_malloc (re_node_set, 1);
+	      if (__glibc_unlikely (entrance_nodes == NULL))
 		{
 		  free_state (newstate);
 		  return NULL;
 		}
+	      newstate->entrance_nodes = entrance_nodes;
 	      if (re_node_set_init_copy (newstate->entrance_nodes, nodes)
 		  != REG_NOERROR)
-		return NULL;
+		{
+		  free_state (newstate);
+		  return NULL;
+		}
 	      nctx_nodes = 0;
 	      newstate->has_constraint = 1;
 	    }