[TRE-general] [Crm114-general] segv from /usr/lib/libtre.so.4 (tre-0.7.5)
Ville Laurikari
ville at laurikari.net
Sun Jan 7 09:35:15 EET 2007
On Sat, Jan 06, 2007 at 10:44:54PM -0500, Bill Y wrote:
> My guess is the result of REGCOMPing an invalid expression should be
> a compiled regex form that always returns an error condition; REG_ESPACE
> is one such, so it's not unreasonable to have another, in case someone
> hands regexec a bad compiled regex form.
Hmm... If regcomp() should return something even for invalid regexps,
it should be something that does not need to be regfree'd. Because
you are _not_ supposed to regfree() if you already got an error in
regcomp(). That's actually another source of potentially exploitable
bugs.
TRE uses just one pointer in the regex_t struct. I'll change TRE to
initialize it to NULL in case of errors, and have the other entry
points to check for that. I think REG_BADPAT (invalid regexp) can be
used as the error code here.
--
http://www.iki.fi/vl/
More information about the TRE-general
mailing list