From 171def31f9630fc8bc47e5fc3a562d19111ca546 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 25 Oct 2013 13:59:12 +0200 Subject: bugfix: memleak in re_extract() function Thanks to Pavel Levshin for reporting this problem. --- grammar/rainerscript.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'grammar/rainerscript.c') diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c index 63bb6f67..9cacb4ae 100644 --- a/grammar/rainerscript.c +++ b/grammar/rainerscript.c @@ -1307,11 +1307,12 @@ doFunc_re_extract(struct cnffunc *func, struct var *ret, void* usrptr) iLenBuf); } +finalize_it: if(bMustFree) free(str); if(r[0].datatype == 'S') es_deleteStr(r[0].d.estr); if(r[2].datatype == 'S') es_deleteStr(r[2].d.estr); if(r[3].datatype == 'S') es_deleteStr(r[3].d.estr); -finalize_it: + if(bHadNoMatch) { cnfexprEval(func->expr[4], &r[4], usrptr); estr = var2String(&r[4], &bMustFree); -- cgit v1.2.3 From bf95d5f034221fbc49904c30774f4ae269d4df68 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 25 Oct 2013 14:20:36 +0200 Subject: bugfix: buffer overrun if re_extract function was called for submatch 50 Thanks to Pavel Levshin for reporting the problem and its location. --- grammar/rainerscript.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'grammar/rainerscript.c') diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c index 9cacb4ae..b86f7c30 100644 --- a/grammar/rainerscript.c +++ b/grammar/rainerscript.c @@ -1259,7 +1259,7 @@ doFunc_re_extract(struct cnffunc *func, struct var *ret, void* usrptr) str = (char*) var2CString(&r[0], &bMustFree); matchnbr = (short) var2Number(&r[2], NULL); submatchnbr = (size_t) var2Number(&r[3], NULL); - if(submatchnbr > sizeof(pmatch)/sizeof(regmatch_t)) { + if(submatchnbr >= sizeof(pmatch)/sizeof(regmatch_t)) { DBGPRINTF("re_extract() submatch %d is too large\n", submatchnbr); bHadNoMatch = 1; goto finalize_it; -- cgit v1.2.3