From: JinWang An <jinwang.an@samsung.com>
Date: Thu, 25 Feb 2021 04:25:50 +0000 (+0900)
Subject: [CVE-2009-5155] Diagnose ERE '()|\1'
X-Git-Tag: accepted/tizen/6.5/base/20230714.002603^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_6.5_base;p=platform%2Fupstream%2Fm4.git

[CVE-2009-5155] Diagnose ERE '()|\1'

Problem reported by Hanno Böck in: http://bugs.gnu.org/21513
* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep
track of the set of previously-completed subexpressions available
before the first alternative, and restore this set just before
parsing each subsequent alternative.  This lets us diagnose the
invalid back-reference in the ERE '()|\1'.

Change-Id: I6de4f8c79837656f670b5c34a0869619af198abe
Signed-off-by: JinWang An <jinwang.an@samsung.com>
---

diff --git a/lib/regcomp.c b/lib/regcomp.c
index f0b2e52..6b7c105 100644
--- a/lib/regcomp.c
+++ b/lib/regcomp.c
@@ -2187,6 +2187,7 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,
 {
   re_dfa_t *dfa = preg->buffer;
   bin_tree_t *tree, *branch = NULL;
+  bitset_word_t initial_bkref_map = dfa->completed_bkref_map;
   tree = parse_branch (regexp, preg, token, syntax, nest, err);
   if (BE (*err != REG_NOERROR && tree == NULL, 0))
     return NULL;
@@ -2197,9 +2198,16 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,
       if (token->type != OP_ALT && token->type != END_OF_RE
 	  && (nest == 0 || token->type != OP_CLOSE_SUBEXP))
 	{
+      bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map;
+      dfa->completed_bkref_map = initial_bkref_map;
 	  branch = parse_branch (regexp, preg, token, syntax, nest, err);
 	  if (BE (*err != REG_NOERROR && branch == NULL, 0))
+	  {
+	    if (tree != NULL)
+		  postorder (tree, free_tree, NULL);
 	    return NULL;
+	  }
+	  dfa->completed_bkref_map |= accumulated_bkref_map;
 	}
       else
 	branch = NULL;