Add missing error check in regexp parser.

parseqatom() failed to check for an error return (NULL result) from its recursive call to parsebranch(), and in consequence could crash with a null-pointer dereference after an error return. This bug has been there since day one, but wasn't noticed before, probably because most error cases in parsebranch() didn't actually lead to returning NULL. Add the missing error check, and also tweak parsebranch() to exit in a less indirect fashion after a call to parseqatom() fails. Report by Tomasz Karlik, fix by me.

Add missing error check in regexp parser.
parseqatom() failed to check for an error return (NULL result) from its recursive call to parsebranch(), and in consequence could crash with a null-pointer dereference after an error return. This bug has been there since day one, but wasn't noticed before, probably because most error cases in parsebranch() didn't actually lead to returning NULL. Add the missing error check, and also tweak parsebranch() to exit in a less indirect fashion after a call to parseqatom() fails. Report by Tomasz Karlik, fix by me.
73dc003b · Tom Lane · 08f97280 · 73dc003b
Commit 73dc003b authored Feb 27, 2013 by Tom Lane
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

src/backend/regex/regcomp.c src/backend/regex/regcomp.c +2 -0

No files found.
--- a/src/backend/regex/regcomp.c
+++ b/src/backend/regex/regcomp.c
@@ -712,6 +712,7 @@ parsebranch(struct vars * v,
 		/* NB, recursion in parseqatom() may swallow rest of branch */
 		parseqatom(v, stopper, type, lp, right, t);
+		NOERRN();
 	}
 	if (!seencontent)
@@ -1169,6 +1170,7 @@ parseqatom(struct vars * v,
 		EMPTYARC(s2, rp);
 		t->right = subre(v, '=', 0, s2, rp);
 	}
+	NOERR();
 	assert(SEE('|') || SEE(stopper) || SEE(EOS));
 	t->flags |= COMBINE(t->flags, t->right->flags);
 	top->flags |= COMBINE(top->flags, t->flags);