GNU bug report logs - #32592
s with i modifier seems to work incorrectly

Previous Next

Package: sed;

Reported by: Saito Takaaki <tails.saito <at> gmail.com>

Date: Thu, 30 Aug 2018 14:44:01 UTC

Severity: normal

Tags: fixed

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jim Meyering <jim <at> meyering.net>
To: Assaf Gordon <assafgordon <at> gmail.com>
Cc: bill-auger <at> peers.community, Eric Blake <eblake <at> redhat.com>, 32592 <at> debbugs.gnu.org, tails.saito <at> gmail.com, "bug-gnulib <at> gnu.org List" <bug-gnulib <at> gnu.org>
Subject: bug#32592: heap-use-after-free in regex module
Date: Wed, 5 Sep 2018 21:45:57 -0700

On Wed, Sep 5, 2018 at 6:28 PM Assaf Gordon <assafgordon <at> gmail.com> wrote:
>
> Bruno alerted me off-list:
>
> On 05/09/18 07:19 PM, Bruno Haible wrote:
>  > Is the ChangeLog entry up-to-date?
>  >
>  > +    * regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub.
>  > +    Additionally, check for allocation errors and bail out if needed.
>  >
>  > I don't see a code change for
>  > "check for allocation errors and bail out if needed".
>
> Thanks!
>
> I initially had a check for REG_NOERROR there, but removed it.
>
> Attached an updated patch without the outdated comment.

Very nice work!

Your change looks fine: set "buf" to account for potentially-moved
allocation, just as is done on three other lines above.
However, I couldn't help but notice this nonsense right after the line
you inserted:

          if (err == REG_NOMATCH)
            continue;
        }

That is an "if (...) continue;" just before the closing brace of a
for-loop. Those two lines constitute a no-op and should be removed,
though not as part of your change.
This bug report was last modified 6 years and 281 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.