]> granicus.if.org Git - postgresql/commitdiff
projects / postgresql / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 298d1f8)
Fix some possible low-memory failures in regexp compilation.
authorTom Lane <tgl@sss.pgh.pa.us>
Wed, 12 Aug 2015 04:48:11 +0000 (00:48 -0400)
committerTom Lane <tgl@sss.pgh.pa.us>
Wed, 12 Aug 2015 04:48:54 +0000 (00:48 -0400)
newnfa() failed to set the regex error state when malloc() fails.
Several places in regcomp.c failed to check for an error after calling
subre().  Each of these mistakes could lead to null-pointer-dereference
crashes in memory-starved backends.

Report and patch by Andreas Seltenreich.  Back-patch to all branches.

src/backend/regex/regc_nfa.c patch | blob | history
src/backend/regex/regcomp.c patch | blob | history

diff --git a/src/backend/regex/regc_nfa.c b/src/backend/regex/regc_nfa.c
index eef0cffb013178c67dc4ca66785f4151f5707b16..b9ce11115c1a14faa75240e0cce4b384dc07a772 100644 (file)
--- a/src/backend/regex/regc_nfa.c
+++ b/src/backend/regex/regc_nfa.c
@@ -52,7 +52,10 @@ newnfa(struct vars * v,
 
        nfa = (struct nfa *) MALLOC(sizeof(struct nfa));
        if (nfa == NULL)
+       {
+               ERR(REG_ESPACE);
                return NULL;
+       }
 
        nfa->states = NULL;
        nfa->slast = NULL;
diff --git a/src/backend/regex/regcomp.c b/src/backend/regex/regcomp.c
index be44b12ede7e27e5aa881974bbdb798807b1304c..400084678953e0770defdaa99864fa396229461d 100644 (file)
--- a/src/backend/regex/regcomp.c
+++ b/src/backend/regex/regcomp.c
@@ -934,6 +934,7 @@ parseqatom(struct vars * v,
                        NOERR();
                        assert(v->nextvalue > 0);
                        atom = subre(v, 'b', BACKR, lp, rp);
+                       NOERR();
                        subno = v->nextvalue;
                        atom->subno = subno;
                        EMPTYARC(lp, rp);       /* temporarily, so there's something */
@@ -1064,6 +1065,7 @@ parseqatom(struct vars * v,
 
        /* break remaining subRE into x{...} and what follows */
        t = subre(v, '.', COMBINE(qprefer, atom->flags), lp, rp);
+       NOERR();
        t->left = atom;
        atomp = &t->left;
 
@@ -1072,6 +1074,7 @@ parseqatom(struct vars * v,
        /* split top into prefix and remaining */
        assert(top->op == '=' && top->left == NULL && top->right == NULL);
        top->left = subre(v, '=', top->flags, top->begin, lp);
+       NOERR();
        top->op = '.';
        top->right = t;
 
Unnamed repository; edit this file 'description' to name the repository.