From: Paul Eggert Date: Sat, 19 Sep 2015 20:53:34 +0000 (-0700) Subject: [CVE-2009-5155] Diagnose ERE '()|\1' X-Git-Tag: accepted/tizen/6.5/base/tool/20211027.121832^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F69%2F255169%2F1;p=product%2Fupstream%2Ffindutils.git [CVE-2009-5155] Diagnose ERE '()|\1' Problem reported by Hanno Böck in: http://bugs.gnu.org/21513 * lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep track of the set of previously-completed subexpressions available before the first alternative, and restore this set just before parsing each subsequent alternative. This lets us diagnose the invalid back-reference in the ERE '()|\1'. Change-Id: Ib33e473e4935044e4c8b4ad4013644d290a6876c Signed-off-by: DongHun Kwak --- diff --git a/gnulib/lib/regcomp.c b/gnulib/lib/regcomp.c index fe4d243..7215af1 100644 --- a/gnulib/lib/regcomp.c +++ b/gnulib/lib/regcomp.c @@ -2116,6 +2116,7 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, { re_dfa_t *dfa = (re_dfa_t *) preg->buffer; bin_tree_t *tree, *branch = NULL; + bitset_word_t initial_bkref_map = dfa->completed_bkref_map; tree = parse_branch (regexp, preg, token, syntax, nest, err); if (BE (*err != REG_NOERROR && tree == NULL, 0)) return NULL; @@ -2126,9 +2127,16 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, if (token->type != OP_ALT && token->type != END_OF_RE && (nest == 0 || token->type != OP_CLOSE_SUBEXP)) { + bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map; + dfa->completed_bkref_map = initial_bkref_map; branch = parse_branch (regexp, preg, token, syntax, nest, err); if (BE (*err != REG_NOERROR && branch == NULL, 0)) - return NULL; + { + if (tree != NULL) + postorder (tree, free_tree, NULL); + return NULL; + } + dfa->completed_bkref_map |= accumulated_bkref_map; } else branch = NULL;