path: root/src
diff options
authorRich Felker <>2015-03-30 02:13:59 -0400
committerRich Felker <>2015-03-30 02:13:59 -0400
commitee6f8114dfc02709f5df7f19bff0d774aef50fce (patch)
tree006b9cd7737d5d6f27367e3fe763680ff60d48eb /src
parent7987653d57b47d5dd8f90bd5b4f7736dd941a807 (diff)
fix regcomp handling of backslash followed by high byte
the regex parser handles the (undefined) case of an unexpected byte following a backslash as a literal. however, instead of correctly decoding a character, it was treating the byte value itself as a character. this was not only semantically unjustified, but turned out to be dangerous on archs where plain char is signed: bytes in the range 252-255 alias the internal codes -4 through -1 used for special types of literal nodes in the AST. analogous to commit 39dfd58417ef642307d90306e1c7e50aaec5a35c in mainline. it's unclear whether the same crash that affected mainline is possible in the older regcomp code in 1.0.x, but conceptually the bug is the same.
Diffstat (limited to 'src')
1 files changed, 1 insertions, 4 deletions
diff --git a/src/regex/regcomp.c b/src/regex/regcomp.c
index d9076275..01d42a8e 100644
--- a/src/regex/regcomp.c
+++ b/src/regex/regcomp.c
@@ -1298,10 +1298,7 @@ tre_parse(tre_parse_ctx_t *ctx)
/* Escaped character. */
- result = tre_ast_new_literal(ctx->mem, *ctx->re, *ctx->re,
- ctx->position);
- ctx->position++;
- ctx->re++;
+ goto parse_literal;