Avoid a leak in expr's implementation of the ":" (match) operator.

* src/expr.c (docolon): Free the regexp buffer using regfree, rather
than doing it manually, being careful to set fastmap to NULL first.
Free any re_regs.start and .end members, if necessary.

diff --git a/ChangeLog b/ChangeLog
index 6e4e9be31f960c680ad5825ca90535101fec562d..84bda39a4ca013493f4b43a4bf60e16e1814c112 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2007-01-11  Jim Meyering  <jim@meyering.net>
 
+       Avoid a leak in expr's implementation of the ":" (match) operator.
+       * src/expr.c (docolon): Free the regexp buffer using regfree, rather
+       than doing it manually, being careful to set fastmap to NULL first.
+       Free any re_regs.start and .end members, if necessary.
+
        * tests/misc/test-diag: Work also when libc's error function
        reports the entire program name ("../../src/test"), rather than
        just the final component.

diff --git a/src/expr.c b/src/expr.c
index 7f9f5323db7114d129c513073bee84a640e9319d..352c80cc68bae558c290ce50dfe49e02151930f5 100644 (file)
--- a/src/expr.c
+++ b/src/expr.c
@@ -427,6 +427,10 @@ docolon (VALUE *sv, VALUE *pv)
   tostring (sv);
   tostring (pv);
 
+  re_regs.num_regs = 0;
+  re_regs.start = NULL;
+  re_regs.end = NULL;
+
   re_buffer.buffer = NULL;
   re_buffer.allocated = 0;
   re_buffer.fastmap = fastmap;
@@ -463,7 +467,13 @@ docolon (VALUE *sv, VALUE *pv)
           (matchlen == -2 ? errno : EOVERFLOW),
           _("error in regular expression matcher"));
 
-  free (re_buffer.buffer);
+  if (0 < re_regs.num_regs)
+    {
+      free (re_regs.start);
+      free (re_regs.end);
+    }
+  re_buffer.fastmap = NULL;
+  regfree (&re_buffer);
   return v;
 }