Overview

File regcomp-double-free.patch of Package glibc.42654

From 6a52d5cab01ee8d3303f7c0939d6b2618c8a9606 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 21 Jul 2025 21:43:49 +0200
Subject: [PATCH] posix: Fix double-free after allocation failure in regcomp
 (bug 33185)

If a memory allocation failure occurs during bracket expression
parsing in regcomp, a double-free error may result.

Reported-by: Anastasia Belova <abelova@astralinux.ru>
Co-authored-by: Paul Eggert <eggert@cs.ucla.edu>
Reviewed-by: Andreas K. Huettel <dilfridge@gentoo.org>
(cherry picked from commit 7ea06e994093fa0bcca0d0ee2c1db271d8d7885d)
---
 NEWS                             |   1 +
 posix/Makefile                   |   1 +
 posix/regcomp.c                  |   4 +-
 posix/tst-regcomp-bracket-free.c | 176 +++++++++++++++++++++++++++++++
 4 files changed, 181 insertions(+), 1 deletion(-)
 create mode 100644 posix/tst-regcomp-bracket-free.c

Index: glibc-2.22/posix/regcomp.c
===================================================================
--- glibc-2.22.orig/posix/regcomp.c
+++ glibc-2.22/posix/regcomp.c
@@ -3388,6 +3388,7 @@ parse_bracket_exp (re_string_t *regexp,
     {
 #ifdef RE_ENABLE_I18N
       free_charset (mbcset);
+      mbcset = NULL;
 #endif
       /* Build a tree for simple bracket.  */
       br_token.type = SIMPLE_BRACKET;
@@ -3403,7 +3404,8 @@ parse_bracket_exp (re_string_t *regexp,
  parse_bracket_exp_free_return:
   re_free (sbcset);
 #ifdef RE_ENABLE_I18N
-  free_charset (mbcset);
+  if (__glibc_likely (mbcset != NULL))
+    free_charset (mbcset);
 #endif /* RE_ENABLE_I18N */
   return NULL;
 }
openSUSE Build Service is sponsored by
Places