From 88e977266b92516b15f384e3990d90af557e0574 Mon Sep 17 00:00:00 2001
From: Philip Withnall <withnall@endlessm.com>
Date: Wed, 11 Jan 2017 17:14:18 +0000
Subject: [PATCH] gregex: Fix a potential use-after-free bug

If the match_info out argument is NULL, info will be freed, but then its
matches member will be accessed.

Spotted by Leslie Zhai <xiangzhai83@gmail.com>.

https://bugzilla.gnome.org/show_bug.cgi?id=777077
---
 glib/gregex.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/glib/gregex.c b/glib/gregex.c
index bde157101..76a5104db 100644
--- a/glib/gregex.c
+++ b/glib/gregex.c
@@ -1911,6 +1911,7 @@ g_regex_match_all_full (const GRegex      *regex,
   gboolean done;
   pcre *pcre_re;
   pcre_extra *extra;
+  gboolean retval;
 
   g_return_val_if_fail (regex != NULL, FALSE);
   g_return_val_if_fail (string != NULL, FALSE);
@@ -1984,13 +1985,14 @@ g_regex_match_all_full (const GRegex      *regex,
 
   /* set info->pos to -1 so that a call to g_match_info_next() fails. */
   info->pos = -1;
+  retval = info->matches >= 0;
 
   if (match_info != NULL)
     *match_info = info;
   else
     g_match_info_free (info);
 
-  return info->matches >= 0;
+  return retval;
 }
 
 /**