From: Jim Meyering <jim@meyering.net>
Date: Thu, 11 Jan 2007 18:31:27 +0000 (+0100)
Subject: Avoid a leak in expr's implementation of the ":" (match) operator.
X-Git-Tag: COREUTILS-6_8~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e2fd4cca630e887cabf030d926ca21e9d842634;p=thirdparty%2Fcoreutils.git

Avoid a leak in expr's implementation of the ":" (match) operator.
* src/expr.c (docolon): Free the regexp buffer using regfree, rather
than doing it manually, being careful to set fastmap to NULL first.
Free any re_regs.start and .end members, if necessary.
---

diff --git a/ChangeLog b/ChangeLog
index 6e4e9be31f..84bda39a4c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2007-01-11  Jim Meyering  <jim@meyering.net>
 
+	Avoid a leak in expr's implementation of the ":" (match) operator.
+	* src/expr.c (docolon): Free the regexp buffer using regfree, rather
+	than doing it manually, being careful to set fastmap to NULL first.
+	Free any re_regs.start and .end members, if necessary.
+
 	* tests/misc/test-diag: Work also when libc's error function
 	reports the entire program name ("../../src/test"), rather than
 	just the final component.
diff --git a/src/expr.c b/src/expr.c
index 7f9f5323db..352c80cc68 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -427,6 +427,10 @@ docolon (VALUE *sv, VALUE *pv)
   tostring (sv);
   tostring (pv);
 
+  re_regs.num_regs = 0;
+  re_regs.start = NULL;
+  re_regs.end = NULL;
+
   re_buffer.buffer = NULL;
   re_buffer.allocated = 0;
   re_buffer.fastmap = fastmap;
@@ -463,7 +467,13 @@ docolon (VALUE *sv, VALUE *pv)
 	   (matchlen == -2 ? errno : EOVERFLOW),
 	   _("error in regular expression matcher"));
 
-  free (re_buffer.buffer);
+  if (0 < re_regs.num_regs)
+    {
+      free (re_regs.start);
+      free (re_regs.end);
+    }
+  re_buffer.fastmap = NULL;
+  regfree (&re_buffer);
   return v;
 }