From 7e23b63bd8e0776f90c915d72fced4215eefadb0 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Wed, 12 Aug 2015 00:48:11 -0400 Subject: [PATCH] Fix some possible low-memory failures in regexp compilation. newnfa() failed to set the regex error state when malloc() fails. Several places in regcomp.c failed to check for an error after calling subre(). Each of these mistakes could lead to null-pointer-dereference crashes in memory-starved backends. Report and patch by Andreas Seltenreich. Back-patch to all branches. --- src/backend/regex/regc_nfa.c | 3 +++ src/backend/regex/regcomp.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/backend/regex/regc_nfa.c b/src/backend/regex/regc_nfa.c index eef0cffb013..b9ce11115c1 100644 --- a/src/backend/regex/regc_nfa.c +++ b/src/backend/regex/regc_nfa.c @@ -52,7 +52,10 @@ newnfa(struct vars * v, nfa = (struct nfa *) MALLOC(sizeof(struct nfa)); if (nfa == NULL) + { + ERR(REG_ESPACE); return NULL; + } nfa->states = NULL; nfa->slast = NULL; diff --git a/src/backend/regex/regcomp.c b/src/backend/regex/regcomp.c index be44b12ede7..40008467895 100644 --- a/src/backend/regex/regcomp.c +++ b/src/backend/regex/regcomp.c @@ -934,6 +934,7 @@ parseqatom(struct vars * v, NOERR(); assert(v->nextvalue > 0); atom = subre(v, 'b', BACKR, lp, rp); + NOERR(); subno = v->nextvalue; atom->subno = subno; EMPTYARC(lp, rp); /* temporarily, so there's something */ @@ -1064,6 +1065,7 @@ parseqatom(struct vars * v, /* break remaining subRE into x{...} and what follows */ t = subre(v, '.', COMBINE(qprefer, atom->flags), lp, rp); + NOERR(); t->left = atom; atomp = &t->left; @@ -1072,6 +1074,7 @@ parseqatom(struct vars * v, /* split top into prefix and remaining */ assert(top->op == '=' && top->left == NULL && top->right == NULL); top->left = subre(v, '=', top->flags, top->begin, lp); + NOERR(); top->op = '.'; top->right = t; -- 2.39.5