Add missing error check in regexp parser.

tglsfdc · tglsfdc · commit 0c54796b5c74 · 2013-02-27T10:40:20.000-05:00
parseqatom() failed to check for an error return (NULL result) from its
recursive call to parsebranch(), and in consequence could crash with a
null-pointer dereference after an error return.  This bug has been there
since day one, but wasn't noticed before, probably because most error cases
in parsebranch() didn't actually lead to returning NULL.  Add the missing
error check, and also tweak parsebranch() to exit in a less indirect
fashion after a call to parseqatom() fails.

Report by Tomasz Karlik, fix by me.
diff --git a/src/backend/regex/regcomp.c b/src/backend/regex/regcomp.c
@@ -704,6 +704,7 @@ parsebranch(struct vars * v,
 
 		/* NB, recursion in parseqatom() may swallow rest of branch */
 		parseqatom(v, stopper, type, lp, right, t);
+		NOERRN();
 	}
 
 	if (!seencontent)
@@ -1148,6 +1149,7 @@ parseqatom(struct vars * v,
 		EMPTYARC(atom->end, rp);
 		t->right = subre(v, '=', 0, atom->end, rp);
 	}
+	NOERR();
 	assert(SEE('|') || SEE(stopper) || SEE(EOS));
 	t->flags |= COMBINE(t->flags, t->right->flags);
 	top->flags |= COMBINE(top->flags, t->flags);

Original file line number	Diff line number	Diff line change
`@@ -704,6 +704,7 @@ parsebranch(struct vars * v,`
`704`	`704`
`705`	`705`	`/* NB, recursion in parseqatom() may swallow rest of branch */`
`706`	`706`	`parseqatom(v, stopper, type, lp, right, t);`
	`707`	`+ NOERRN();`
`707`	`708`	`}`
`708`	`709`
`709`	`710`	`if (!seencontent)`
`@@ -1148,6 +1149,7 @@ parseqatom(struct vars * v,`
`1148`	`1149`	`EMPTYARC(atom->end, rp);`
`1149`	`1150`	`t->right = subre(v, '=', 0, atom->end, rp);`
`1150`	`1151`	`}`
	`1152`	`+ NOERR();`
`1151`	`1153`	`assert(SEE('\|') \|\| SEE(stopper) \|\| SEE(EOS));`
`1152`	`1154`	`t->flags \|= COMBINE(t->flags, t->right->flags);`
`1153`	`1155`	`top->flags \|= COMBINE(top->flags, t->flags);`