diff options
author | Philip Withnall <withnall@endlessm.com> | 2017-01-11 17:14:18 +0000 |
---|---|---|
committer | Philip Withnall <withnall@endlessm.com> | 2017-01-12 09:04:38 +0000 |
commit | 88e977266b92516b15f384e3990d90af557e0574 (patch) | |
tree | 6cc0b37b3e8a4856a7c668d3dd1499ee7eca2550 /glib/gregex.c | |
parent | 3b5b5696ed121ef6ff48fd076fccf95053db33a7 (diff) | |
download | glib-88e977266b92516b15f384e3990d90af557e0574.tar.gz |
gregex: Fix a potential use-after-free bug
If the match_info out argument is NULL, info will be freed, but then its
matches member will be accessed.
Spotted by Leslie Zhai <xiangzhai83@gmail.com>.
https://bugzilla.gnome.org/show_bug.cgi?id=777077
Diffstat (limited to 'glib/gregex.c')
-rw-r--r-- | glib/gregex.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/glib/gregex.c b/glib/gregex.c index bde157101..76a5104db 100644 --- a/glib/gregex.c +++ b/glib/gregex.c @@ -1911,6 +1911,7 @@ g_regex_match_all_full (const GRegex *regex, gboolean done; pcre *pcre_re; pcre_extra *extra; + gboolean retval; g_return_val_if_fail (regex != NULL, FALSE); g_return_val_if_fail (string != NULL, FALSE); @@ -1984,13 +1985,14 @@ g_regex_match_all_full (const GRegex *regex, /* set info->pos to -1 so that a call to g_match_info_next() fails. */ info->pos = -1; + retval = info->matches >= 0; if (match_info != NULL) *match_info = info; else g_match_info_free (info); - return info->matches >= 0; + return retval; } /** |