Fix calls of pcre2_substitute

If the output buffer given to pcre2_substitute is too small, an error value is written to the last parameter (output length). That value should not be used for calculations. This patch gives a copy as parameter instead. Coincidentally, this commit fixes the crashes of query classifier tests. Also, increase buffer growth rate in utils.c.
2017-04-03 16:35:15 +03:00
parent dca086571b
commit e0a98f6539
4 changed files with 32 additions and 17 deletions
--- a/server/modules/filter/regexfilter/regexfilter.c
+++ b/server/modules/filter/regexfilter/regexfilter.c
@ -427,19 +427,22 @@ regex_replace(const char *sql, pcre2_code *re, pcre2_match_data *match_data, con
        result_size = strlen(sql) + strlen(replace);
        result = MXS_MALLOC(result_size);

+        size_t result_size_tmp = result_size;
        while (result &&
               pcre2_substitute(re, (PCRE2_SPTR) sql, PCRE2_ZERO_TERMINATED, 0,
                                PCRE2_SUBSTITUTE_GLOBAL, match_data, NULL,
                                (PCRE2_SPTR) replace, PCRE2_ZERO_TERMINATED,
-                                (PCRE2_UCHAR*) result, (PCRE2_SIZE*) & result_size) == PCRE2_ERROR_NOMEMORY)
+                                (PCRE2_UCHAR*) result, (PCRE2_SIZE*) & result_size_tmp) == PCRE2_ERROR_NOMEMORY)
        {
+            result_size_tmp = 1.5 * result_size;
            char *tmp;
-            if ((tmp = MXS_REALLOC(result, (result_size *= 1.5))) == NULL)
+            if ((tmp = MXS_REALLOC(result, result_size_tmp)) == NULL)
            {
                MXS_FREE(result);
                result = NULL;
            }
            result = tmp;
+            result_size = result_size_tmp;
        }
    }
    return result;