• Tom Lane's avatar
    Fix array overrun in regex code. · 2a4c46e0
    Tom Lane authored
    zaptreesubs() was coded to unconditionally reset a capture subre's
    corresponding pmatch[] entry.  However, in regexes without backrefs, that
    array is caller-supplied and might not have as many entries as the regex
    has capturing parens.  So check the array length and do nothing if there
    is no corresponding entry, much as subset() does.  Failure to check this
    resulted in a stack clobber in the case reported by Marko Kreen.
    
    This bug appears to have been latent in the regex library from the
    beginning.  It was not exposed because find() called dissect() not
    cdissect(), and the dissect() code path didn't ever call zaptreesubs()
    (formerly zapmem()).  When I unified dissect() and cdissect() in commit
    4dd78bf3, the problem was exposed.
    
    Now that I've seen this, I'm rather suspicious that we might need to
    back-patch it; but will refrain for now, for lack of evidence that
    the case can be hit in the previous coding.
    2a4c46e0
regexec.c 32.2 KB