diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | grammar/rainerscript.c | 5 |
2 files changed, 7 insertions, 2 deletions
@@ -179,6 +179,10 @@ Version 7.5.0 [devel] 2013-06-11 Thanks to Axel Rau for the patch. --------------------------------------------------------------------------- Version 7.4.6 [v7.4-stable] 2013-11-?? +- bugfix: buffer overrun if re_extract function was called for submatch 50 + Thanks to Pavel Levshin for reporting the problem and its location. +- bugfix: memleak in re_extract() function + Thanks to Pavel Levshin for reporting this problem. - bugfix: memory leak in omhiredis Thanks to Pavel Levshin for the fix - bugfix: segfault if variable was assigned to non-container subtree diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c index b73366c2..0f16a816 100644 --- a/grammar/rainerscript.c +++ b/grammar/rainerscript.c @@ -1370,7 +1370,7 @@ doFunc_re_extract(struct cnffunc *func, struct var *ret, void* usrptr) str = (char*) var2CString(&r[0], &bMustFree); matchnbr = (short) var2Number(&r[2], NULL); submatchnbr = (size_t) var2Number(&r[3], NULL); - if(submatchnbr > sizeof(pmatch)/sizeof(regmatch_t)) { + if(submatchnbr >= sizeof(pmatch)/sizeof(regmatch_t)) { DBGPRINTF("re_extract() submatch %d is too large\n", submatchnbr); bHadNoMatch = 1; goto finalize_it; @@ -1418,11 +1418,12 @@ doFunc_re_extract(struct cnffunc *func, struct var *ret, void* usrptr) iLenBuf); } +finalize_it: if(bMustFree) free(str); if(r[0].datatype == 'S') es_deleteStr(r[0].d.estr); if(r[2].datatype == 'S') es_deleteStr(r[2].d.estr); if(r[3].datatype == 'S') es_deleteStr(r[3].d.estr); -finalize_it: + if(bHadNoMatch) { cnfexprEval(func->expr[4], &r[4], usrptr); estr = var2String(&r[4], &bMustFree); |