Fix some possible low-memory failures in regexp compilation.

tglsfdc · tglsfdc · commit 7e23b63bd8e0 · 2015-08-12T00:48:54.000-04:00
newnfa() failed to set the regex error state when malloc() fails.
Several places in regcomp.c failed to check for an error after calling
subre().  Each of these mistakes could lead to null-pointer-dereference
crashes in memory-starved backends.

Report and patch by Andreas Seltenreich.  Back-patch to all branches.
diff --git a/src/backend/regex/regc_nfa.c b/src/backend/regex/regc_nfa.c
@@ -52,7 +52,10 @@ newnfa(struct vars * v,
 
 	nfa = (struct nfa *) MALLOC(sizeof(struct nfa));
 	if (nfa == NULL)
+	{
+		ERR(REG_ESPACE);
 		return NULL;
+	}
 
 	nfa->states = NULL;
 	nfa->slast = NULL;
diff --git a/src/backend/regex/regcomp.c b/src/backend/regex/regcomp.c
@@ -934,6 +934,7 @@ parseqatom(struct vars * v,
 			NOERR();
 			assert(v->nextvalue > 0);
 			atom = subre(v, 'b', BACKR, lp, rp);
+			NOERR();
 			subno = v->nextvalue;
 			atom->subno = subno;
 			EMPTYARC(lp, rp);	/* temporarily, so there's something */
@@ -1064,6 +1065,7 @@ parseqatom(struct vars * v,
 
 	/* break remaining subRE into x{...} and what follows */
 	t = subre(v, '.', COMBINE(qprefer, atom->flags), lp, rp);
+	NOERR();
 	t->left = atom;
 	atomp = &t->left;
 
@@ -1072,6 +1074,7 @@ parseqatom(struct vars * v,
 	/* split top into prefix and remaining */
 	assert(top->op == '=' && top->left == NULL && top->right == NULL);
 	top->left = subre(v, '=', top->flags, top->begin, lp);
+	NOERR();
 	top->op = '.';
 	top->right = t;
 
