Fix array bounds violation in regex matcher (bug 25149)

If the regex has more subexpressions than the number of elements allocated in the regmatch_t array passed to regexec then proceed_next_node may access the regmatch_t array outside its bounds. No testcase added because even without this bug it would then crash in pop_fail_stack which is bug 11053.
author: Andreas Schwab <schwab@suse.de> 2019-10-30 10:38:36 +0100
committer: Andreas Schwab <schwab@suse.de> 2019-11-11 12:24:59 +0100
commit: fc141ea78ee3d87c67b18488827fe2d89c9343e7 (patch)
tree: 1279ce8cbfa3f463a1bd628a66d9e084291b73f1
parent: 2e44b10b42d68d9887ccab17b76db5d7bbae4fb6 (diff)
download: glibc-fc141ea78ee3d87c67b18488827fe2d89c9343e7.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/posix/regexec.c b/posix/regexec.c
index 3c46ac81dd..38b6d6719a 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -1266,10 +1266,13 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
       if (type == OP_BACK_REF)
 	{
 	  Idx subexp_idx = dfa->nodes[node].opr.idx + 1;
-	  naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
+	  if (subexp_idx < nregs)
+	    naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
 	  if (fs != NULL)
 	    {
-	      if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1)
+	      if (subexp_idx >= nregs
+		  || regs[subexp_idx].rm_so == -1
+		  || regs[subexp_idx].rm_eo == -1)
 		return -1;
 	      else if (naccepted)
 		{
author	Andreas Schwab <schwab@suse.de>	2019-10-30 10:38:36 +0100
committer	Andreas Schwab <schwab@suse.de>	2019-11-11 12:24:59 +0100
commit	fc141ea78ee3d87c67b18488827fe2d89c9343e7 (patch)
tree	1279ce8cbfa3f463a1bd628a66d9e084291b73f1
parent	2e44b10b42d68d9887ccab17b76db5d7bbae4fb6 (diff)
download	glibc-fc141ea78ee3d87c67b18488827fe2d89c9343e7.tar.gz