fix regcomp handling of backslash followed by high byte

the regex parser handles the (undefined) case of an unexpected byte
following a backslash as a literal. however, instead of correctly
decoding a character, it was treating the byte value itself as a
character. this was not only semantically unjustified, but turned out
to be dangerous on archs where plain char is signed: bytes in the
range 252-255 alias the internal codes -4 through -1 used for special
types of literal nodes in the AST.

analogous to commit 39dfd58417ef642307d90306e1c7e50aaec5a35c in
mainline. it's unclear whether the same crash that affected mainline
is possible in the older regcomp code in 1.0.x, but conceptually the
bug is the same.

diff --git a/src/regex/regcomp.c b/src/regex/regcomp.c
index d90762751de177d920573adee799ddbd727765ad..01d42a8eb8676d7ffab34132507c90509d8c0287 100644 (file)
--- a/src/regex/regcomp.c
+++ b/src/regex/regcomp.c
@@ -1298,10 +1298,7 @@ tre_parse(tre_parse_ctx_t *ctx)
                  else
                    {
                      /* Escaped character. */
-                     result = tre_ast_new_literal(ctx->mem, *ctx->re, *ctx->re,
-                                                  ctx->position);
-                     ctx->position++;
-                     ctx->re++;
+                     goto parse_literal;
                    }
                  break;
                }