[#MXS-394] Faults in regex_replace function of regexfilter.c

[MXS-394] Faults in regex_replace function of regexfilter.c Created: 2015-10-05 Updated: 2015-11-03 Resolved: 2015-11-03
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	regexfilter
Affects Version/s:	1.2.1
Fix Version/s:	1.3.0

Type:

Bug

Priority:

Major

Reporter:

martin brampton (Inactive)

Assignee:

markus makela

Resolution:

Fixed

Votes:

Labels:

None

Environment:

Any

Description

The function uses realloc without checks. More immediately significant, on line 456 the variable "result" is reallocated, but no change is made to the pointer to it. Consequently, the memcpy that follows is liable to write into the freed memory space resulting from the realloc operation.

The function could be more effective if it made two passes, first computing the space required for the transformed string, then making a memory allocation (if necessary) and carrying out the replacements.

But it would probably be better altogether to use the PCRE function "pcre2_substitute" which appears to do the job without any development effort at all.

Comments

Comment by markus makela [ 2015-11-03 ]

This was fixed by upgrading to PCRE2.

Generated at Thu Feb 08 03:58:57 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MXS-394] Faults in regex_replace function of regexfilter.c Created: 2015-10-05 Updated: 2015-11-03 Resolved: 2015-11-03