Fix ancient bug in parsing of BRE-mode regular expressions.

brenext(), when parsing a '*' quantifier, forgot to return any "value"
for the token; per the equivalent case in next(), it should return
value 1 to indicate that greedy rather than non-greedy behavior is
wanted.  The result is that the compiled regexp could behave like 'x*?'
rather than the intended 'x*', if we were unlucky enough to have
a zero in v->nextvalue at this point.  That seems to happen with some
reliability if we have '.*' at the beginning of a BRE-mode regexp,
although that depends on the initial contents of a stack-allocated
struct, so it's not guaranteed to fail.

Found by Alexander Lakhin using valgrind testing.  This bug seems
to be aboriginal in Spencer's code, so back-patch all the way.

Discussion: https://postgr.es/m/16814-6c5e3edd2bdf0d50@postgresql.org

diff --git a/src/backend/regex/regc_lex.c b/src/backend/regex/regc_lex.c
index 38617b79fd146df87158e2f033fdc21b16ec7a10..ca2bce48312aab1709389eca3a84b87adf6b8b8c 100644 (file)
--- a/src/backend/regex/regc_lex.c
+++ b/src/backend/regex/regc_lex.c
@@ -994,7 +994,7 @@ brenext(struct vars *v,
        case CHR('*'):
            if (LASTTYPE(EMPTY) || LASTTYPE('(') || LASTTYPE('^'))
                RETV(PLAIN, c);
-           RET('*');
+           RETV('*', 1);
            break;
        case CHR('['):
            if (HAVE(6) && *(v->now + 0) == CHR('[') &&