From: Rich Felker Date: Fri, 20 Mar 2015 22:06:04 +0000 (-0400) Subject: fix memory-corruption in regcomp with backslash followed by high byte X-Git-Tag: v1.1.8~6 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=39dfd58417ef642307d90306e1c7e50aaec5a35c;p=oweals%2Fmusl.git fix memory-corruption in regcomp with backslash followed by high byte the regex parser handles the (undefined) case of an unexpected byte following a backslash as a literal. however, instead of correctly decoding a character, it was treating the byte value itself as a character. this was not only semantically unjustified, but turned out to be dangerous on archs where plain char is signed: bytes in the range 252-255 alias the internal codes -4 through -1 used for special types of literal nodes in the AST. --- diff --git a/src/regex/regcomp.c b/src/regex/regcomp.c index 4cdaa1ea..bce6bc15 100644 --- a/src/regex/regcomp.c +++ b/src/regex/regcomp.c @@ -847,7 +847,7 @@ static reg_errcode_t parse_atom(tre_parse_ctx_t *ctx, const char *s) } else { /* extension: accept unknown escaped char as a literal */ - node = tre_ast_new_literal(ctx->mem, *s, *s, ctx->position); + goto parse_literal; } ctx->position++; }