posix: Fix double-free after allocation failure in regcomp (bug 33185)release/2.37/master

If a memory allocation failure occurs during bracket expression parsing in regcomp, a double-free error may result. Reported-by: Anastasia Belova <abelova@astralinux.ru> Co-authored-by: Paul Eggert <eggert@cs.ucla.edu> Reviewed-by: Andreas K. Huettel <dilfridge@gentoo.org> (cherry picked from commit 7ea06e994093fa0bcca0d0ee2c1db271d8d7885d)
author: Florian Weimer <fweimer@redhat.com> 2025-07-21 21:43:49 +0200
committer: Florian Weimer <fweimer@redhat.com> 2025-07-24 09:51:33 +0200
commit: 58b768addbc7a1696741157b34dd9580688c354e (patch)
tree: 0f758c02495c6167d9d19e684e17f35f3c14b99f /posix/regcomp.c
parent: ea179f9a37eb7031c6ffc12a5ec16085a1ba6453 (diff)
download: glibc-release/2.37/master.zip
glibc-release/2.37/master.tar.gz
glibc-release/2.37/master.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/posix/regcomp.c b/posix/regcomp.c
index c3231ea..04594b7 100644
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@@ -3383,6 +3383,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
     {
 #ifdef RE_ENABLE_I18N
       free_charset (mbcset);
+      mbcset = NULL;
 #endif
       /* Build a tree for simple bracket.  */
       br_token.type = SIMPLE_BRACKET;
@@ -3398,7 +3399,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
  parse_bracket_exp_free_return:
   re_free (sbcset);
 #ifdef RE_ENABLE_I18N
-  free_charset (mbcset);
+  if (__glibc_likely (mbcset != NULL))
+    free_charset (mbcset);
 #endif /* RE_ENABLE_I18N */
   return NULL;
 }
author	Florian Weimer <fweimer@redhat.com>	2025-07-21 21:43:49 +0200
committer	Florian Weimer <fweimer@redhat.com>	2025-07-24 09:51:33 +0200
commit	58b768addbc7a1696741157b34dd9580688c354e (patch)
tree	0f758c02495c6167d9d19e684e17f35f3c14b99f /posix/regcomp.c
parent	ea179f9a37eb7031c6ffc12a5ec16085a1ba6453 (diff)
download	glibc-release/2.37/master.zip glibc-release/2.37/master.tar.gz glibc-release/2.37/master.tar.bz2