diff options
| author | Assaf Gordon <assafgordon@gmail.com> | 2018-09-05 23:25:07 -0700 |
|---|---|---|
| committer | Paul Eggert <eggert@cs.ucla.edu> | 2018-12-16 07:08:29 -0800 |
| commit | 077caf61d867d4cab49b5aa42da1611868596fe7 (patch) | |
| tree | 870ea6314a4cb90d4db2b91eca8f100c6cf6b688 /ChangeLog | |
| parent | 0c1719e65b2a5a80331d4f635612799f853b0479 (diff) | |
| download | glibc-077caf61d867d4cab49b5aa42da1611868596fe7.tar glibc-077caf61d867d4cab49b5aa42da1611868596fe7.tar.gz glibc-077caf61d867d4cab49b5aa42da1611868596fe7.tar.bz2 glibc-077caf61d867d4cab49b5aa42da1611868596fe7.zip | |
regex: fix heap-use-after-free error
[BZ #18040]
Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
call extend_buffers which reallocates the re_string_t internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* posix/regexec.c (get_subexp): Update 'buf' after call to
get_subexp_sub.
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -1,3 +1,16 @@ +2018-12-15 Assaf Gordon <assafgordon@gmail.com> + + regex: fix heap-use-after-free error + [BZ #18040] + Problem reported by Saito Takaaki <tails.saito@gmail.com> in + https://debbugs.gnu.org/32592 + Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may + call extend_buffers which reallocates the re_string_t internal buffer. + Local variable 'buf' was not updated in such case, resulting in + use-after-free. + * posix/regexec.c (get_subexp): Update 'buf' after call to + get_subexp_sub. + 2018-12-15 Florian Weimer <fweimer@redhat.com> * support/blob_repeat.c (check_mul_overflow_size_t): New function. |