Created attachment 49 [details] Patch busybox expr crashes if non-matching \(..\)* block appears on the first position. Example: busybox expr match '' '\(x\)*' In that case regexec returns regmatch_t with only first entry filled and busybox tries (without checking) to read substring from re_regs[1]. But re_regs[1].rm_so == -1 235 /* expr uses an anchored pattern match, so check that there was a 236 * match and that the match starts at offset 0. */ 237 if (regexec(&re_buffer, sv->u.s, NMATCH, re_regs, 0) != REG_NOMATCH 238 && re_regs[0].rm_so == 0 239 ) { 240 /* Were \(...\) used? */ 241 if (re_buffer.re_nsub > 0) { 242 sv->u.s[re_regs[1].rm_eo] = '\0'; 243 v = str_value(sv->u.s + re_regs[1].rm_so); 244 } else { 245 v = int_value(re_regs[0].rm_eo); 246 } I suggest that adding && re_resg[1].rm_so != -1 should suffice to overcome this problem. Patch attached.
This is not enhancement.
Created attachment 89 [details] Patch to be applied to svn in a minute I think you have it in slightly wrong place in your patch. I will do it this way.
fixed in revision 25507, thanks for pointing out where it happens!