Correct an out-of-bounds read in regcomp when the RE is bad.
When passed the invalid regular expression "a**", the error is
eventually detected and seterr() is called. It sets p->error
appropriatly and p->next and p->end to nuls which is a never used char
nuls[10] which is zeros due to .bss initialization. Unfortunatly,
p_ere_exp() and p_simp_re() both have fall through cases where they set
the error, decrement p->next and access it which means a read from
whatever .bss variable comes before nuls.
Found with regex_test:repet_multi and CHERI bounds checking.
projects / FreeBSD / FreeBSD.git / commit