gregex: Fix a potential use-after-free bug

If the match_info out argument is NULL, info will be freed, but then its matches member will be accessed. Spotted by Leslie Zhai <xiangzhai83@gmail.com>. https://bugzilla.gnome.org/show_bug.cgi?id=777077
author: Philip Withnall <withnall@endlessm.com> 2017-01-11 17:14:18 +0000
committer: Philip Withnall <withnall@endlessm.com> 2017-01-12 09:04:38 +0000
commit: 88e977266b92516b15f384e3990d90af557e0574 (patch)
tree: 6cc0b37b3e8a4856a7c668d3dd1499ee7eca2550
parent: 3b5b5696ed121ef6ff48fd076fccf95053db33a7 (diff)
download: glib-88e977266b92516b15f384e3990d90af557e0574.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/glib/gregex.c b/glib/gregex.c
index bde157101..76a5104db 100644
--- a/glib/gregex.c
+++ b/glib/gregex.c
@@ -1911,6 +1911,7 @@ g_regex_match_all_full (const GRegex      *regex,
   gboolean done;
   pcre *pcre_re;
   pcre_extra *extra;
+  gboolean retval;
 
   g_return_val_if_fail (regex != NULL, FALSE);
   g_return_val_if_fail (string != NULL, FALSE);
@@ -1984,13 +1985,14 @@ g_regex_match_all_full (const GRegex      *regex,
 
   /* set info->pos to -1 so that a call to g_match_info_next() fails. */
   info->pos = -1;
+  retval = info->matches >= 0;
 
   if (match_info != NULL)
     *match_info = info;
   else
     g_match_info_free (info);
 
-  return info->matches >= 0;
+  return retval;
 }
 
 /**
author	Philip Withnall <withnall@endlessm.com>	2017-01-11 17:14:18 +0000
committer	Philip Withnall <withnall@endlessm.com>	2017-01-12 09:04:38 +0000
commit	88e977266b92516b15f384e3990d90af557e0574 (patch)
tree	6cc0b37b3e8a4856a7c668d3dd1499ee7eca2550
parent	3b5b5696ed121ef6ff48fd076fccf95053db33a7 (diff)
download	glib-88e977266b92516b15f384e3990d90af557e0574.tar.gz