From d64b61398fcd1966ed43e437e2ee7f18cb6fdc9e Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Sat, 19 Sep 2015 13:53:34 -0700 Subject: [PATCH] [CVE-2009-5155] Diagnose ERE '()|\1' MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Problem reported by Hanno Böck in: http://bugs.gnu.org/21513 * lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep track of the set of previously-completed subexpressions available before the first alternative, and restore this set just before parsing each subsequent alternative. This lets us diagnose the invalid back-reference in the ERE '()|\1'. Change-Id: Id55c5afc1cc560444e82bdef4ce5462d2f3f6f3a Signed-off-by: DongHun Kwak --- gnulib/lib/regcomp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/gnulib/lib/regcomp.c b/gnulib/lib/regcomp.c index fe4d243..ab0628f 100644 --- a/gnulib/lib/regcomp.c +++ b/gnulib/lib/regcomp.c @@ -2116,6 +2116,7 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, { re_dfa_t *dfa = (re_dfa_t *) preg->buffer; bin_tree_t *tree, *branch = NULL; + bitset_word_t initial_bkref_map = dfa->completed_bkref_map; tree = parse_branch (regexp, preg, token, syntax, nest, err); if (BE (*err != REG_NOERROR && tree == NULL, 0)) return NULL; @@ -2126,9 +2127,12 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, if (token->type != OP_ALT && token->type != END_OF_RE && (nest == 0 || token->type != OP_CLOSE_SUBEXP)) { + bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map; + dfa->completed_bkref_map = initial_bkref_map; branch = parse_branch (regexp, preg, token, syntax, nest, err); if (BE (*err != REG_NOERROR && branch == NULL, 0)) return NULL; + dfa->completed_bkref_map |= accumulated_bkref_map; } else branch = NULL; -- 2.7.4