diff options
author | Dimitry Andric <dim@FreeBSD.org> | 2016-08-02 20:25:22 +0000 |
---|---|---|
committer | Dimitry Andric <dim@FreeBSD.org> | 2016-08-02 20:25:22 +0000 |
commit | 00f060000f4ecfafdf376ba43e6f7e3652a1f527 (patch) | |
tree | 32066b026a83cb8c68746525d4137b79d03e98ee | |
parent | 20136ffc7b01833e5048403957f7b0ee252a56d0 (diff) | |
download | src-00f060000f4ecfafdf376ba43e6f7e3652a1f527.tar.gz src-00f060000f4ecfafdf376ba43e6f7e3652a1f527.zip |
Fix a segfault in bsdgrep when parsing the invalid extended regexps "?"
or "+" (these are invalid, because there is no preceding operand).
When bsdgrep attempts to emulate GNU grep in discarding and ignoring the
invalid ? or + operators, some later logic in tre_compile_fast() goes
beyond the end of the buffer, leading to a crash.
Fix this by bailing out, and reporting a bad pattern instead.
Reported by: Steve Kargl
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=303676
-rw-r--r-- | usr.bin/grep/regex/tre-fastmatch.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/usr.bin/grep/regex/tre-fastmatch.c b/usr.bin/grep/regex/tre-fastmatch.c index 0881c557ecff..08e17c79b8cc 100644 --- a/usr.bin/grep/regex/tre-fastmatch.c +++ b/usr.bin/grep/regex/tre-fastmatch.c @@ -621,7 +621,7 @@ tre_compile_fast(fastmatch_t *fg, const tre_char_t *pat, size_t n, case TRE_CHAR('+'): case TRE_CHAR('?'): if ((cflags & REG_EXTENDED) && (i == 0)) - continue; + goto badpat; else if ((cflags & REG_EXTENDED) ^ !escaped) STORE_CHAR; else |