[CVE-2009-5155] Diagnose ERE '()|\1tizen_6.5.m2_releasesubmit/tizen_6.5/20211028.163601submit/tizen/20210225.050828accepted/tizen/unified/20210226.131945accepted/tizen/6.5/unified/20211028.225003tizen_6.5backup/parted-3.1-20220120accepted/tizen_6.5_unified

Problem reported by Hanno Böck in: http://bugs.gnu.org/21513
* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep
track of the set of previously-completed subexpressions available
before the first alternative, and restore this set just before
parsing each subsequent alternative.  This lets us diagnose the
invalid back-reference in the ERE '()|\1'.

Change-Id: I8080b06fd938b6a615a7e6db251e76fb7d7ca66e
Signed-off-by: JinWang An <jinwang.an@samsung.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/lib/regcomp.c b/lib/regcomp.c
index 76128a5..e415783 100644
--- a/lib/regcomp.c
+++ b/lib/regcomp.c
@@ -2175,6 +2175,7 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,
 {
   re_dfa_t *dfa = (re_dfa_t *) preg->buffer;
   bin_tree_t *tree, *branch = NULL;
+  bitset_word_t initial_bkref_map = dfa->completed_bkref_map;
   tree = parse_branch (regexp, preg, token, syntax, nest, err);
   if (BE (*err != REG_NOERROR && tree == NULL, 0))
     return NULL;
@@ -2185,9 +2186,16 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,
       if (token->type != OP_ALT && token->type != END_OF_RE
 	  && (nest == 0 || token->type != OP_CLOSE_SUBEXP))
 	{
+      bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map;
+      dfa->completed_bkref_map = initial_bkref_map;
 	  branch = parse_branch (regexp, preg, token, syntax, nest, err);
 	  if (BE (*err != REG_NOERROR && branch == NULL, 0))
+	  {
+	    if (tree != NULL)
+		  postorder (tree, free_tree, NULL);
 	    return NULL;
+	  }
+	  dfa->completed_bkref_map |= accumulated_bkref_map;
 	}
       else
 	branch = NULL;