From 234205a2e34464a9aabc9ab5e65692652f8fc910 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Wed, 12 Aug 2015 00:48:11 -0400
Subject: [PATCH] Fix some possible low-memory failures in regexp compilation.

newnfa() failed to set the regex error state when malloc() fails.
Several places in regcomp.c failed to check for an error after calling
subre().  Each of these mistakes could lead to null-pointer-dereference
crashes in memory-starved backends.

Report and patch by Andreas Seltenreich.  Back-patch to all branches.
---
 src/backend/regex/regc_nfa.c | 3 +++
 src/backend/regex/regcomp.c  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/backend/regex/regc_nfa.c b/src/backend/regex/regc_nfa.c
index 776bb59b867..e0d5af205f6 100644
--- a/src/backend/regex/regc_nfa.c
+++ b/src/backend/regex/regc_nfa.c
@@ -52,7 +52,10 @@ newnfa(struct vars * v,
 
 	nfa = (struct nfa *) MALLOC(sizeof(struct nfa));
 	if (nfa == NULL)
+	{
+		ERR(REG_ESPACE);
 		return NULL;
+	}
 
 	nfa->states = NULL;
 	nfa->slast = NULL;
diff --git a/src/backend/regex/regcomp.c b/src/backend/regex/regcomp.c
index 742539a90b9..38f48d5ddb8 100644
--- a/src/backend/regex/regcomp.c
+++ b/src/backend/regex/regcomp.c
@@ -942,6 +942,7 @@ parseqatom(struct vars * v,
 			NOERR();
 			assert(v->nextvalue > 0);
 			atom = subre(v, 'b', BACKR, lp, rp);
+			NOERR();
 			subno = v->nextvalue;
 			atom->subno = subno;
 			EMPTYARC(lp, rp);	/* temporarily, so there's something */
@@ -1076,6 +1077,7 @@ parseqatom(struct vars * v,
 
 	/* break remaining subRE into x{...} and what follows */
 	t = subre(v, '.', COMBINE(qprefer, atom->flags), lp, rp);
+	NOERR();
 	t->left = atom;
 	atomp = &t->left;
 
@@ -1084,6 +1086,7 @@ parseqatom(struct vars * v,
 	/* split top into prefix and remaining */
 	assert(top->op == '=' && top->left == NULL && top->right == NULL);
 	top->left = subre(v, '=', top->flags, top->begin, lp);
+	NOERR();
 	top->op = '.';
 	top->right = t;
 
-- 
GitLab