Problem reported by Anastasia Belova in: https://sourceware.org/pipermail/libc-alpha/2025-June/168231.html * lib/regcomp.c (parse_bracket_exp): Avoid double-free when storage allocation fails in create_token_tree. --- ChangeLog | 8 ++++++++ lib/regcomp.c | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog index 1a9a4a9ada..30dabe44e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2025-06-26 Paul Eggert <egg...@cs.ucla.edu> + + regex: fix parse_bracket_exp double-free + Problem reported by Anastasia Belova in: + https://sourceware.org/pipermail/libc-alpha/2025-June/168231.html + * lib/regcomp.c (parse_bracket_exp): Avoid double-free + when storage allocation fails in create_token_tree. + 2025-06-25 Bruno Haible <br...@clisp.org> kwset: Add tests. diff --git a/lib/regcomp.c b/lib/regcomp.c index 41157e5c3a..878b65baf0 100644 --- a/lib/regcomp.c +++ b/lib/regcomp.c @@ -3280,6 +3280,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, else { free_charset (mbcset); + mbcset = NULL; /* Build a tree for simple bracket. */ br_token.type = SIMPLE_BRACKET; br_token.opr.sbcset = sbcset; @@ -3293,7 +3294,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, *err = REG_ESPACE; parse_bracket_exp_free_return: re_free (sbcset); - free_charset (mbcset); + if (__glibc_likely (mbcset != NULL)) + free_charset (mbcset); return NULL; } -- 2.48.1
