diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2015-09-19 13:53:34 -0700 |
---|---|---|
committer | DongHun Kwak <dh0128.kwak@samsung.com> | 2021-03-15 11:22:35 +0900 |
commit | 39b747de1dc9dfc8ea061cd24e0a2bd6f1ffad6e (patch) | |
tree | ebde93fd1affc4b0a9eddcb988ab79d83f03a56f | |
parent | 42a04cb81533de4c8b7d67a70b94b944eb122fc8 (diff) | |
download | sed-39b747de1dc9dfc8ea061cd24e0a2bd6f1ffad6e.tar.gz sed-39b747de1dc9dfc8ea061cd24e0a2bd6f1ffad6e.tar.bz2 sed-39b747de1dc9dfc8ea061cd24e0a2bd6f1ffad6e.zip |
[CVE-2009-5155] Diagnose ERE '()|\1'tizen_7.0_m2_releasetizen_6.5.m2_releasesubmit/tizen_base/20210315.022747submit/tizen_7.0_base_hotfix/20221115.161701submit/tizen_7.0_base/20221028.201301submit/tizen_6.5_base/20211027.201201submit/tizen_6.5_base/20211027.183102submit/tizen_6.5_base/20211026.180902accepted/tizen/base/tool/20210315.221235accepted/tizen/7.0/base/tool/hotfix/20221115.084813accepted/tizen/7.0/base/tool/20221028.120739accepted/tizen/7.0/base/hotfix/20230714.004023accepted/tizen/7.0/base/20230714.003214accepted/tizen/6.5/base/tool/20211027.121800accepted/tizen/6.5/base/tool/20211027.105659accepted/tizen/6.5/base/20230714.002806tizen_7.0_base_hotfixtizen_7.0_basetizen_6.5_baseaccepted/tizen_7.0_base_tool_hotfixaccepted/tizen_7.0_base_toolaccepted/tizen_7.0_base_hotfixaccepted/tizen_7.0_baseaccepted/tizen_6.5_base_toolaccepted/tizen_6.5_base
Problem reported by Hanno Böck in: http://bugs.gnu.org/21513
* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep
track of the set of previously-completed subexpressions available
before the first alternative, and restore this set just before
parsing each subsequent alternative. This lets us diagnose the
invalid back-reference in the ERE '()|\1'.
Change-Id: I02bb5b734d57fc46685ebf7cd0e91af41e33a21a
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
-rw-r--r-- | lib/regcomp.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/regcomp.c b/lib/regcomp.c index 6e317f5..faa7382 100644 --- a/lib/regcomp.c +++ b/lib/regcomp.c @@ -2138,6 +2138,7 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, { re_dfa_t *dfa = (re_dfa_t *) preg->buffer; bin_tree_t *tree, *branch = NULL; + bitset_word_t initial_bkref_map = dfa->completed_bkref_map; tree = parse_branch (regexp, preg, token, syntax, nest, err); if (BE (*err != REG_NOERROR && tree == NULL, 0)) return NULL; @@ -2148,9 +2149,16 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, if (token->type != OP_ALT && token->type != END_OF_RE && (nest == 0 || token->type != OP_CLOSE_SUBEXP)) { + bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map; + dfa->completed_bkref_map = initial_bkref_map; branch = parse_branch (regexp, preg, token, syntax, nest, err); if (BE (*err != REG_NOERROR && branch == NULL, 0)) - return NULL; + { + if (tree != NULL) + postorder (tree, free_tree, NULL); + return NULL; + } + dfa->completed_bkref_map |= accumulated_bkref_map; } else branch = NULL; |