From 2ce47f454b6f1df5d2374fcac1b72e65e5f55a67 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@linux-m68k.org>
Date: Fri, 20 Jun 2014 12:41:27 +0200
Subject: [PATCH] Fix another memory leak in regexp compiler (BZ #17069)

(cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

Conflicts:
	NEWS
---
 ChangeLog           | 7 +++++++
 NEWS                | 2 +-
 posix/bug-regex36.c | 4 ++--
 posix/regcomp.c     | 6 +++++-
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8dd7e30c5e0..816f536bcb3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2014-06-20  Andreas Schwab  <schwab@linux-m68k.org>
+
+	[BZ #17069]
+	* posix/regcomp.c (parse_reg_exp): Deallocate partially
+	constructed tree before returning error.
+	* posix/bug-regexp36.c: Expand test case.
+
 2014-06-19  Andreas Schwab  <schwab@linux-m68k.org>
 
 	[BZ #17069]
diff --git a/NEWS b/NEWS
index 4eebd676117..3f762d1ffb4 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.19.1
 * The following bugs are resolved with this release:
 
   15946, 16545, 16574, 16623, 16882, 16885, 16916, 16932, 16943, 16958,
-  17048.
+  17048, 17069.
 
 * CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
   copy the path argument.  This allowed programs to cause posix_spawn to
diff --git a/posix/bug-regex36.c b/posix/bug-regex36.c
index 3dda0265854..59e2b6d321e 100644
--- a/posix/bug-regex36.c
+++ b/posix/bug-regex36.c
@@ -1,4 +1,4 @@
-/* Test regcomp not leaking memory on invalid repetition operator
+/* Test regcomp not leaking memory on parse errors
    Copyright (C) 2014 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -24,6 +24,6 @@ main (int argc, char **argv)
 {
   regex_t r;
   mtrace ();
-  regcomp (&r, "[a]\\{-2,}", 0);
+  regcomp (&r, "[a]\\|[a]\\{-2,}", 0);
   regfree (&r);
 }
diff --git a/posix/regcomp.c b/posix/regcomp.c
index a5020be1929..076eca3e7c7 100644
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@@ -2154,7 +2154,11 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,
 	{
 	  branch = parse_branch (regexp, preg, token, syntax, nest, err);
 	  if (BE (*err != REG_NOERROR && branch == NULL, 0))
-	    return NULL;
+	    {
+	      if (tree != NULL)
+		postorder (tree, free_tree, NULL);
+	      return NULL;
+	    }
 	}
       else
 	branch = NULL;
-- 
2.47.2