regex: fix parse_bracket_exp double-free

author Paul Eggert <eggert@cs.ucla.edu>

Thu, 26 Jun 2025 17:54:14 +0000 (10:54 -0700)

committer Paul Eggert <eggert@cs.ucla.edu>

Thu, 26 Jun 2025 17:54:14 +0000 (10:54 -0700)
author Paul Eggert <eggert@cs.ucla.edu>
Thu, 26 Jun 2025 17:54:14 +0000 (10:54 -0700)
committer Paul Eggert <eggert@cs.ucla.edu>
Thu, 26 Jun 2025 17:54:14 +0000 (10:54 -0700)
diff --git a/ChangeLog b/ChangeLog

index 1a9a4a9ada7f243f1d19db70404afd8a36115ad1..30dabe44e372ecb0448b9e97de3cb19dddb21f71 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2025-06-26  Paul Eggert  <eggert@cs.ucla.edu>
+
+       regex: fix parse_bracket_exp double-free
+       Problem reported by Anastasia Belova in:
+       https://sourceware.org/pipermail/libc-alpha/2025-June/168231.html
+       * lib/regcomp.c (parse_bracket_exp): Avoid double-free
+       when storage allocation fails in create_token_tree.
+
  2025-06-25  Bruno Haible  <bruno@clisp.org>
  
         kwset: Add tests.
diff --git a/lib/regcomp.c b/lib/regcomp.c

index 41157e5c3a6a471c97deac4aea33f2480c37c07f..878b65baf07f2b4724052b055f6de28c2673933d 100644 (file)
--- a/lib/regcomp.c
+++ b/lib/regcomp.c
@@ -3280,6 +3280,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
    else
      {
        free_charset (mbcset);
+      mbcset = NULL;
        /* Build a tree for simple bracket.  */
        br_token.type = SIMPLE_BRACKET;
        br_token.opr.sbcset = sbcset;
@@ -3293,7 +3294,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
    *err = REG_ESPACE;
   parse_bracket_exp_free_return:
    re_free (sbcset);
-  free_charset (mbcset);
+  if (__glibc_likely (mbcset != NULL))
+    free_charset (mbcset);
    return NULL;
  }
author	Paul Eggert <eggert@cs.ucla.edu>
	Thu, 26 Jun 2025 17:54:14 +0000 (10:54 -0700)
committer	Paul Eggert <eggert@cs.ucla.edu>
	Thu, 26 Jun 2025 17:54:14 +0000 (10:54 -0700)
ChangeLog		patch \| blob \| blame \| history
lib/regcomp.c		patch \| blob \| blame \| history