[Bug regex/11053] New: Segfault on invalid backreference

[Bug regex/11053] New: Segfault on invalid backreference

[bonzini at gnu dot org]

$ echo 87654321 | \
  grep -E -e '^(.?)(.?)(.?)(.?)(.?)(.?)(.?)(.?)(.?).?\9\8\7\6\5\4\3\2\1$' 
Segmentation fault

Will work on a C reproducer soon.

-- 
           Summary: Segfault on invalid backreference
           Product: glibc
           Version: 2.11
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
        AssignedTo: drepper at redhat dot com
        ReportedBy: bonzini at gnu dot org
                CC: glibc-bugs-regex at sources dot redhat dot com,glibc-
                    bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=11053

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug regex/11053] Segfault on invalid backreference

[drepper at redhat dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|drepper at redhat dot com   |bonzini at gnu dot org
             Status|NEW                         |ASSIGNED


http://sourceware.org/bugzilla/show_bug.cgi?id=11053

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug regex/11053] Wrong results with backreferences

[bonzini at gnu dot org]

------- Additional Comments From bonzini at gnu dot org  2010-04-09 17:46 -------
Minimized testcases (same regex):

$ echo 8 | grep -E -e "$regex"
8          # >>> okay
$ echo 87 | grep -E -e "$regex"
Segmentation fault

$ echo 88 | grep -E -e "$regex"
88         # >>> okay
$ echo 887 | grep -E -e "$regex"
Segmentation fault

Also, everything I tried to feed that is of length 9 or higher and should not
match, gives either a false positive or a segfault:

$ echo 987654321 | grep -E -e "$regex"
887654321
$ echo 484635532 | grep -E -e "$regex"
484635532
$ echo 0123454321 | grep -E -e "$regex"
Segmentation fault
$ echo 0000123454321 | grep -E -e "$regex"
Segmentation fault


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Segfault on invalid         |Wrong results with
                   |backreference               |backreferences


http://sourceware.org/bugzilla/show_bug.cgi?id=11053

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug regex/11053] Wrong results with backreferences

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #26 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.34/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=86a701a20479dfbc23540b3143fd5b28660a2447

commit 86a701a20479dfbc23540b3143fd5b28660a2447
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Tue Sep 21 07:47:45 2021 -0700

    regex: copy back from Gnulib

    Copy regex-related files back from Gnulib, to fix a problem with
    static checking of regex calls noted by Martin Sebor.  This merges the
    following changes:

    * New macro __attribute_nonnull__ in misc/sys/cdefs.h, for use later
    when copying other files back from Gnulib.

    * Use __GNULIB_CDEFS instead of __GLIBC__ when deciding
    whether to include bits/wordsize.h etc.

    * Avoid duplicate entries in epsilon closure table.

    * New regex.h macro _REGEX_NELTS to let regexec say that its pmatch
    arg should contain nmatch elts.  Use that for regexec, instead of
    __attr_access (which is incorrect).

    * New regex.h macro _Attr_access_ which is like __attr_access except
    portable to non-glibc platforms.

    * Add some DEBUG_ASSERTs to pacify gcc -fanalyzer and to catch
    recently-fixed performance bugs if they recur.

    * Add Gnulib-specific stuff to port the dynarray- and lock-using parts
    of regex code to non-glibc platforms.

    * Fix glibc bug 11053.

    * Avoid some undefined behavior when popping an empty fail stack.

    (cherry picked from commit 0b5ca7c3e551e5502f3be3b06453324fe8604e82)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[vincent-srcware at vinc17 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #25 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
(In reply to eggert from comment #24)
> Sure, feel free to file it as a new bug.

Bug 29560.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at cs dot ucla.edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #24 from eggert at cs dot ucla.edu ---
Sure, feel free to file it as a new bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[vincent-srcware at vinc17 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #23 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
What about attachment 10674 ("This test case silently returns the wrong
answer"), with the pattern "^(11+)\\1+$|^1?$" and the string "1111111111111"?

Should it be regarded as part of Bug#17356 or another bug? This case seems
quite different from Bug#10844 and Bug#17356. Unless the intent is to group all
the bugs about regexp involving backreferences giving a wrong answer[*] (in
which case Bug#10844 and Bug#17356 should be regarded as duplicates to each
other), I think that this should be a new bug.

[*] as opposed to a crash like in this bug 11053.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at cs dot ucla.edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #22 from eggert at cs dot ucla.edu ---
(In reply to Vincent Lefèvre from comment #21)
> (In reply to eggert from comment #20)
> > OK, so in that case how about if we update Bug#17356 by (1) saying it is no
> > longer a duplicate of Bug#11053 (as we've fixed the latter but not the
> > former), and (2) reopening Bug#17536? If I understand you correctly, that
> > would match the symptoms you describe.
> 
> Yes, I think that this is the best solution.

OK, done.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[vincent-srcware at vinc17 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #21 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
(In reply to eggert from comment #20)
> OK, so in that case how about if we update Bug#17356 by (1) saying it is no
> longer a duplicate of Bug#11053 (as we've fixed the latter but not the
> former), and (2) reopening Bug#17536? If I understand you correctly, that
> would match the symptoms you describe.

Yes, I think that this is the best solution.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at cs dot ucla.edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #20 from eggert at cs dot ucla.edu ---
(In reply to Vincent Lefèvre from comment #19)

> regbug.c is derived from the attachment in Bug#17356 (as said in comment 5).
> I've tested this original testcase: with glibc 2.34 on x86_64, it crashes
> (segmentation fault); with glibc 2.35 on riscv64 (host gcc92), it outputs
> "no match (incorrect)".
> 
> So it seems that the fix mentioned in comment 13 fixed the crashes (which
> was the initial bug report), but not the misbehavior.

OK, so in that case how about if we update Bug#17356 by (1) saying it is no
longer a duplicate of Bug#11053 (as we've fixed the latter but not the former),
and (2) reopening Bug#17536? If I understand you correctly, that would match
the symptoms you describe.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[vincent-srcware at vinc17 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #19 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
Sorry, actually both regbug.c and rebug2.c fail as they return the exit status
1 (with my usual configuration, my prompt shows any non-zero exit status, but
this is not the case of the machine on which I had done the test, so that I
missed the failure initially):

vinc17@gcc92:~$ ./regbug
vinc17@gcc92:~$ echo $?
1
vinc17@gcc92:~$ ./rebug2
vinc17@gcc92:~$ echo $?
1

However, in the test from Paolo Bonzini's bug report (comment 0), grep no
longer crashes (while it still crashes with glibc 2.34, which does not have the
fix).

regbug.c is derived from the attachment in Bug#17356 (as said in comment 5).
I've tested this original testcase: with glibc 2.34 on x86_64, it crashes
(segmentation fault); with glibc 2.35 on riscv64 (host gcc92), it outputs "no
match (incorrect)".

So it seems that the fix mentioned in comment 13 fixed the crashes (which was
the initial bug report), but not the misbehavior.

Now, with these new details, is it still OK to regard this bug as fixed and
that the misbehavior (rebug.c from Bug#17356; regbug.c and rebug2.c from this
bug) is actually a new bug?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at cs dot ucla.edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

eggert at cs dot ucla.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #18 from eggert at cs dot ucla.edu ---
(In reply to Vincent Lefèvre from comment #16)
> (In reply to eggert from comment #15)
> > glibc bug 11053 is fixed,
> 
> Shouldn't this bug be resolved as fixed, then?

OK, done.


> > Perhaps a better match for 
> > Debian bug 884075 is glibc bug 10844.
> 
> It seems different.

In that case it might be better to file a new glibc bug report, one that
corresponds more closely to Debian bug 884075.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[vincent-srcware at vinc17 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #17 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
This could be simplified a bit:

vinc17@gcc92:~$ echo 11111111111 | grep --color=auto -E '^(11+)\1+$|^$'
11111111111

(nothing colored).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[vincent-srcware at vinc17 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #16 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
(In reply to eggert from comment #15)
> glibc bug 11053 is fixed,

Shouldn't this bug be resolved as fixed, then?

> but Debian bug 884075 is not fixed. Perhaps a better match for 
> Debian bug 884075 is glibc bug 10844.

It seems different. With Debian bug 884075, the "|^1?$" part is important (it
yields the incorrect output, even though this part isn't matched), and there is
nothing like that in glibc bug 10844:

vinc17@gcc92:~$ echo 11111111111 | grep --color=auto -E '^(11+)\1+$|^1?$'
11111111111
vinc17@gcc92:~$ echo 11111111111 | grep --color=auto -E '^(11+)\1+$'
vinc17@gcc92:~$ 

Note that for the first command, nothing is colored in "11111111111", i.e. the
line is output as appeared to be matched, but no matches are shown by colors.
As a comparison, with ten 1s instead of eleven, the line is output and the ten
1s are colored.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at cs dot ucla.edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #15 from eggert at cs dot ucla.edu ---
On 9/5/22 18:06, vincent-srcware at vinc17 dot net wrote:
>
> What is the status of this bug? The comment says that it is fixed, and I could
> check on an Ubuntu 22.04.1 LTS machine with libc6 2.35-0ubuntu3.1 that regbug.c
> and rebug2.c no longer fail, but the result is still incorrect with the grep
> example from Debian bug 884075:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884075
>
> vinc17@gcc92:~$ echo 11111111111 | grep -E '^(11+)\1+$|^1?$' ; echo $?
> 11111111111
> 0
>
It looks like my comment 
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884075#27> was 
incorrect, in that the two bugs are different bugs. glibc bug 11053 is 
fixed, but Debian bug 884075 is not fixed. Perhaps a better match for 
Debian bug 884075 is glibc bug 10844.

It's not an important bug. However, if you have time to fix it please 
feel free to send in a fix.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[vincent-srcware at vinc17 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Vincent Lefèvre <vincent-srcware at vinc17 dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vincent-srcware at vinc17 dot net

--- Comment #14 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
(In reply to cvs-commit@gcc.gnu.org from comment #13)
> The master branch has been updated by Paul Eggert <eggert@sourceware.org>:
> 
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;
> h=0b5ca7c3e551e5502f3be3b06453324fe8604e82
> 
> commit 0b5ca7c3e551e5502f3be3b06453324fe8604e82
> Author: Paul Eggert <eggert@cs.ucla.edu>
> Date:   Tue Sep 21 07:47:45 2021 -0700
[...]
>     * Fix glibc bug 11053.

What is the status of this bug? The comment says that it is fixed, and I could
check on an Ubuntu 22.04.1 LTS machine with libc6 2.35-0ubuntu3.1 that regbug.c
and rebug2.c no longer fail, but the result is still incorrect with the grep
example from Debian bug 884075:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884075

vinc17@gcc92:~$ echo 11111111111 | grep -E '^(11+)\1+$|^1?$' ; echo $?
11111111111
0

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #13 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Paul Eggert <eggert@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0b5ca7c3e551e5502f3be3b06453324fe8604e82

commit 0b5ca7c3e551e5502f3be3b06453324fe8604e82
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Tue Sep 21 07:47:45 2021 -0700

    regex: copy back from Gnulib

    Copy regex-related files back from Gnulib, to fix a problem with
    static checking of regex calls noted by Martin Sebor.  This merges the
    following changes:

    * New macro __attribute_nonnull__ in misc/sys/cdefs.h, for use later
    when copying other files back from Gnulib.

    * Use __GNULIB_CDEFS instead of __GLIBC__ when deciding
    whether to include bits/wordsize.h etc.

    * Avoid duplicate entries in epsilon closure table.

    * New regex.h macro _REGEX_NELTS to let regexec say that its pmatch
    arg should contain nmatch elts.  Use that for regexec, instead of
    __attr_access (which is incorrect).

    * New regex.h macro _Attr_access_ which is like __attr_access except
    portable to non-glibc platforms.

    * Add some DEBUG_ASSERTs to pacify gcc -fanalyzer and to catch
    recently-fixed performance bugs if they recur.

    * Add Gnulib-specific stuff to port the dynarray- and lock-using parts
    of regex code to non-glibc platforms.

    * Fix glibc bug 11053.

    * Avoid some undefined behavior when popping an empty fail stack.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at cs dot ucla.edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #12 from eggert at cs dot ucla.edu ---
(In reply to Michael Hudson-Doyle from comment #11)
> Did the patch ever get sent to libc-alpha?

Unfortunately I never got around to it.

Someone else can shepherd it if it's urgent; otherwise I suppose it can wait
until someone gets around to syncing Gnulib with glibc.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[michael.hudson at canonical dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Michael Hudson-Doyle <michael.hudson at canonical dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |michael.hudson at canonical dot co
                   |                            |m

--- Comment #11 from Michael Hudson-Doyle <michael.hudson at canonical dot com> ---
Did the patch ever get sent to libc-alpha?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[simon_a_taylor at yahoo dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Simon Taylor <simon_a_taylor at yahoo dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simon_a_taylor at yahoo dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[mliska at suse dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Martin Liska <mliska at suse dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mliska at suse dot cz

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at cs dot ucla.edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

eggert at cs dot ucla.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|bonzini at gnu dot org             |eggert at cs dot ucla.edu

--- Comment #10 from eggert at cs dot ucla.edu ---
Created attachment 13204
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13204&action=edit
regex: fix undefined backref behavior

I am attaching a proposed patch for this longstanding bug. I plan to email this
to libc-alpha shortly.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at gnu dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #4 from Paul Eggert <eggert at gnu dot org> ---
This bug causes GNU coreutils Bug#22793 "grep -E assertion failure with back
references"; see <https://bugs.gnu.org/22793>. I'm adding comments to both bug
reports so that the connection between the two bugs is clearer.

Although this bug's current assignee is Paolo Bonzini (the original reporter),
I think Paolo is pretty busy doing other stuff. Is someone else available to
work on regex bugs? I suspect the fix for this bug will not be trivial.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-708-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Jan 17 22:02:06 2017
Return-Path: <glibc-bugs-regex-return-708-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 2143 invoked by alias); 17 Jan 2017 22:02:06 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 1971 invoked by uid 48); 17 Jan 2017 22:01:53 -0000
From: "eggert at gnu dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/11053] Wrong results with backreferences
Date: Tue, 17 Jan 2017 22:02:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.11
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: eggert at gnu dot org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: bonzini at gnu dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: attachments.created
Message-ID: <bug-11053-132-IQT2Z8iYEe@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/>
References: <bug-11053-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-01/txt/msg00001.txt.bz2
Content-length: 573

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #5 from Paul Eggert <eggert at gnu dot org> ---
Created attachment 9758
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9758&action=edit
C code to reproduce the bug

I attached a slightly-simpler C-language reproducer for the bug, derived from
the attachment in Bug#17356. If I compile and run this program, it outputs
"a.out: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed." and then
aborts.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-709-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:54:37 2017
Return-Path: <glibc-bugs-regex-return-709-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 1150 invoked by alias); 14 Feb 2017 18:54:37 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 964 invoked by uid 48); 14 Feb 2017 18:54:24 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21163] New: Assertion failure in pop_fail_stack when executing a malformed regexp
Date: Tue, 14 Feb 2017 18:54:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.24
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone flagtypes.name
Message-ID: <bug-21163-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-02/txt/msg00000.txt.bz2
Content-length: 1141

https://sourceware.org/bugzilla/show_bug.cgi?id=21163

            Bug ID: 21163
           Summary: Assertion failure in pop_fail_stack when executing a
                    malformed regexp
           Product: glibc
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---
             Flags: security-

Debian bug report:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392

Reproducer from the Debian bug:

#include <assert.h>
#include <regex.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    int rc;
    regex_t preg;
    regmatch_t pmatch[2];

    rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
    assert(rc == 0);
    regexec(&preg, "", 2, pmatch, 0);
    regfree(&preg);
    return 0;
}

This was assigned CVE-2015-8985 even though it is debatable whether this is a
security bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-710-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:55:56 2017
Return-Path: <glibc-bugs-regex-return-710-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 3146 invoked by alias); 14 Feb 2017 18:55:56 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 2776 invoked by uid 48); 14 Feb 2017 18:55:43 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985)
Date: Tue, 14 Feb 2017 18:55:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.24
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: short_desc
Message-ID: <bug-21163-132-UgkCc8DrBS@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21163-132@http.sourceware.org/bugzilla/>
References: <bug-21163-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-02/txt/msg00001.txt.bz2
Content-length: 604

https://sourceware.org/bugzilla/show_bug.cgi?id=21163

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Assertion failure in        |Assertion failure in
                   |pop_fail_stack when         |pop_fail_stack when
                   |executing a malformed       |executing a malformed
                   |regexp                      |regexp (CVE-2015-8985)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-711-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Feb 15 08:13:38 2017
Return-Path: <glibc-bugs-regex-return-711-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 33184 invoked by alias); 15 Feb 2017 08:13:38 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 33049 invoked by uid 48); 15 Feb 2017 08:13:25 -0000
From: "vapier at gentoo dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985)
Date: Wed, 15 Feb 2017 08:13:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.24
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: vapier at gentoo dot org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: see_also
Message-ID: <bug-21163-132-2dtZa0VCDn@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21163-132@http.sourceware.org/bugzilla/>
References: <bug-21163-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-02/txt/msg00002.txt.bz2
Content-length: 469

https://sourceware.org/bugzilla/show_bug.cgi?id=21163

Mike Frysinger <vapier at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.gentoo.org/sho
                   |                            |w_bug.cgi?id=609386

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-712-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Mar 15 17:34:53 2017
Return-Path: <glibc-bugs-regex-return-712-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 106215 invoked by alias); 15 Mar 2017 17:34:53 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 106107 invoked by uid 48); 15 Mar 2017 17:34:47 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/14780] [PATCH] handle malloc() and realloc() failures in regcomp()
Date: Wed, 15 Mar 2017 17:34:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_status
Message-ID: <bug-14780-132-0shxdXmHdT@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-14780-132@http.sourceware.org/bugzilla/>
References: <bug-14780-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-03/txt/msg00000.txt.bz2
Content-length: 375

https://sourceware.org/bugzilla/show_bug.cgi?id=14780

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-713-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Apr 28 01:30:50 2017
Return-Path: <glibc-bugs-regex-return-713-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 28897 invoked by alias); 28 Apr 2017 01:30:36 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 28284 invoked by uid 48); 28 Apr 2017 01:30:02 -0000
From: "boehme.marcel at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] New: Crash in re_search_stub
Date: Fri, 28 Apr 2017 01:30:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: boehme.marcel at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-04/txt/msg00000.txt.bz2
Content-length: 7168

https://sourceware.org/bugzilla/show_bug.cgi?id=21442

            Bug ID: 21442
           Summary: Crash in re_search_stub
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Dear all,

We found a null pointer dereference resulting in a segmentation fault, that
might be a bug in diffutils or a bug in GLIBC depending on the perspective one
takes. The patch can be in GLIBC (introducing a simple null pointer check) or
in Diffutils (preventing the null pointer dereference altogether). We already
reported the bug downstream at
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26690. Below we provide a quick
analysis. We think, it is actually an incorrect use of GLIBC. However, since it
can be easily prevented in GLIBC, we thought we should report it here as well.

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Van-Thuan Pham.

How to reproduce:
$ diff -Ia -I\\ <(printf "") <(echo a)
diff: \: Trailing backslash
diff: stack overflow

ASAN says:
ASAN:DEADLYSIGNAL
=================================================================
==74668==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d8 (pc
0x7f0670589bad bp 0x000000000000 sp 0x7ffefbed15b0 T0)
   #0 0x7f0670589bac in re_search_stub
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414
   #1 0x7f067058a527 in re_search
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:312
   #2 0x555bfc in analyze_hunk
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/util.c:1522:8
   #3 0x4f91dd in diff_2_files
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/analyze.c:620:12
   #4 0x528971 in compare_files
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:1434:11
   #5 0x51882c in main
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:800:18
   #6 0x7f06704c4f44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
   #7 0x41bac5 in _start
(/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/diff+0x41bac5)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414 in re_search_stub

This is our analysis:
For the diff-tool the argument -I<regexp> specifies the changed lines to
exclude. For each such argument, the function add_regexp in diff.c is called.
This function uses re_compile_pattern to successfully compile the first
pattern. However, it fails to compile the second pattern, giving the error
“Trailing backslash”. In both cases, the function uses the re_pattern_buffer
*ignore_regexp. However, the failed compilation corrupts *ignore_regexp,
setting ignore_regexp->buffer=0x0 and ignore_regexp->allocated=0. Later, in
function summarize_regexp_list, it is established that at least one pattern was
successfully compiled and ignore_regexp->fastmap is set, indicating that
re_search is being called in utils.c:1501. Unfortunately, it is being called on
the corrupted ignore_regexp where ignore_regexp->buf = 0x0. GLIBC does not
check for a null-pointer when derefencing the buffer in regexec.c:413.

GDB says:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>,
string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1,
stop=1, regs=0x0, ret_len=0) at regexec.c:413
413     in regexec.c
(gdb) p *bufp
$1 = {buffer = 0x0, allocated = 0, used = 224, syntax = 330310, fastmap =
0x6271f0 "\330\036\335\367\377\177", translate = 0x0, re_nsub = 0, can_be_null
= 0, regs_allocated = 0, fastmap_accurate = 0, no_sub = 0, not_bol = 0, not_eol
= 0, newline_anchor = 1}
(gdb) bt
#0  0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>,
string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1,
stop=1, regs=0x0, ret_len=0) at regexec.c:413
#1  0x00007ffff7af5a70 in __re_search (bufp=<optimized out>,
string=string@entry=0x62a050 "a\n", length=<optimized out>,
start=start@entry=0, range=<optimized out>, regs=regs@entry=0x0) at
regexec.c:317
#2  0x000000000040ce1e in analyze_hunk (hunk=hunk@entry=0x627340,
first0=first0@entry=0x7fffffffdf80, last0=last0@entry=0x7fffffffdf88,
first1=first1@entry=0x7fffffffdf90, last1=last1@entry=0x7fffffffdf98) at
util.c:1522
#3  0x000000000040507d in diff_2_files (cmp=cmp@entry=0x7fffffffe060) at
analyze.c:620
#4  0x00000000004071f7 in compare_files (parent=parent@entry=0x0,
name0=0x7fffffffe6ec "/dev/fd/63", name1=<optimized out>) at diff.c:1434
#5  0x000000000040387e in main (argc=<optimized out>, argv=<optimized out>) at
diff.c:800

VALGRIND says:
==103798== Memcheck, a memory error detector
==103798== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==103798== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==103798== Command: src/diff -Ia -I\\ /dev/fd/63 /dev/fd/62
==103798== 
src/diff: \: Trailing backslash
==103798== Invalid read of size 4
==103798==    at 0x4F21056: re_search_stub (regexec.c:413)
==103798==    by 0x4F21A6F: re_search (regexec.c:317)
==103798==    by 0x40CE1D: analyze_hunk (util.c:1522)
==103798==    by 0x40507C: diff_2_files (analyze.c:620)
==103798==    by 0x4071F6: compare_files (diff.c:1434)
==103798==    by 0x40387D: main (diff.c:800)
==103798==  Address 0xd8 is not stack'd, malloc'd or (recently) free'd
==103798== 
diff: stack overflow
==103798== 
==103798== HEAP SUMMARY:
==103798==     in use at exit: 4,970 bytes in 25 blocks
==103798==   total heap usage: 75 allocs, 50 frees, 28,030 bytes allocated
==103798== 
==103798== LEAK SUMMARY:
==103798==    definitely lost: 136 bytes in 5 blocks
==103798==    indirectly lost: 120 bytes in 6 blocks
==103798==      possibly lost: 0 bytes in 0 blocks
==103798==    still reachable: 4,714 bytes in 14 blocks
==103798==         suppressed: 0 bytes in 0 blocks
==103798== Rerun with --leak-check=full to see details of leaked memory
==103798== 
==103798== For counts of detected and suppressed errors, rerun with: -v
==103798== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Best regards,
- Marcel

---
Marcel Böhme
Senior Research Fellow
TSUNAMi Security Research Centre
National University of Singapore

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-714-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon May 01 13:50:19 2017
Return-Path: <glibc-bugs-regex-return-714-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 89508 invoked by alias); 1 May 2017 13:50:19 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 89416 invoked by uid 48); 1 May 2017 13:50:14 -0000
From: "adhemerval.zanella at linaro dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] Crash in re_search_stub
Date: Mon, 01 May 2017 13:50:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: adhemerval.zanella at linaro dot org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-21442-132-b2CHASdziM@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/>
References: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-05/txt/msg00000.txt.bz2
Content-length: 1446

https://sourceware.org/bugzilla/show_bug.cgi?id=21442

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adhemerval.zanella at linaro dot o
                   |                            |rg

--- Comment #1 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Since re_exec is an GNU extension this API corner case should be documented and
afaik unfortunately they aren't (using the gnulib documentation [1]).

For these cases I tend to follow, if possible, the POSIX inspired API. On POSIX
regular expression API [2] states that:

"[...] If the preg argument to regexec() or regfree() is not a compiled regular
expression returned by regcomp(), the result is undefined. [...]"

So if I understood correctly the issue description, it is using an invalid
regular expression buffer description on re_search (since the expression
compilation failed). IMHO we should treat this as undefined (as POSIX
counterpart) and let the user handle it correctly.  In a short, I would say we
should close this as not a bug.

[1] https://www.gnu.org/software/gnulib/manual/html_node/GNU-Searching.html
[2] http://pubs.opengroup.org/onlinepubs/9699919799/

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-715-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 02 00:43:33 2017
Return-Path: <glibc-bugs-regex-return-715-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 83386 invoked by alias); 2 May 2017 00:43:32 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 83289 invoked by uid 48); 2 May 2017 00:43:29 -0000
From: "boehme.marcel at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] Crash in re_search_stub
Date: Tue, 02 May 2017 00:43:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: boehme.marcel at gmail dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-21442-132-g41Bpp6me3@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/>
References: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-05/txt/msg00001.txt.bz2
Content-length: 537

https://sourceware.org/bugzilla/show_bug.cgi?id=21442

Marcel Böhme <boehme.marcel at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Marcel Böhme <boehme.marcel at gmail dot com> ---
Agreed. Thanks!

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-716-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 30 19:41:46 2017
Return-Path: <glibc-bugs-regex-return-716-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 30618 invoked by alias); 30 May 2017 19:41:45 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 30414 invoked by uid 48); 30 May 2017 19:41:41 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] Crash in re_search_stub
Date: Tue, 30 May 2017 19:41:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: cc flagtypes.name
Message-ID: <bug-21442-132-YgNnGsjhKA@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/>
References: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-05/txt/msg00002.txt.bz2
Content-length: 456

https://sourceware.org/bugzilla/show_bug.cgi?id=21442

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-717-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Jun 26 10:08:16 2017
Return-Path: <glibc-bugs-regex-return-717-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 13244 invoked by alias); 26 Jun 2017 10:08:16 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 13166 invoked by uid 48); 26 Jun 2017 10:08:12 -0000
From: "bensberg at telfort dot nl" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21673] New: a regexec call with REG_STARTEND finds a bogus match for \>
Date: Mon, 26 Jun 2017 10:08:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: bensberg at telfort dot nl
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created
Message-ID: <bug-21673-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-06/txt/msg00000.txt.bz2
Content-length: 1524

https://sourceware.org/bugzilla/show_bug.cgi?id=21673

            Bug ID: 21673
           Summary: a regexec call with REG_STARTEND finds a bogus match
                    for \>
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: bensberg at telfort dot nl
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 10222
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10222&action=edit
tiny program that searches for \> starting from two different positions

When calling regexec with the REG_STARTEND flag and providing
an end-of-range value (in .rm_eo) that points to somewhere in
the middle of a word, regexec will nevertheless find a match
for \> at that offset.  The corresponding case for \<, with a
start-of-range value (in .rm_so) that points to the middle of
a word, will /not/ find a match for \< there.  The latter is
what I expected, the former was a surprise.

To reproduce:
Compile the attached until.c and run it.

The actual output is:
Found tail at 6: '.  '
Found tail at 4: 'rd.  '

Expected result:
The second line of output shouldn't have been there, because
the word does not end after "wo".

First seen on Ubuntu Lucid (10.04).  Still present on Ubuntu
Zesty (17.04, glibc 2.24).

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-718-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 00:52:38 2017
Return-Path: <glibc-bugs-regex-return-718-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 118734 invoked by alias); 13 Nov 2017 00:52:38 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 118559 invoked by uid 48); 13 Nov 2017 00:52:34 -0000
From: "gniibe at fsij dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/22425] New: Escape by \ with REG_ICASE
Date: Mon, 13 Nov 2017 00:52:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: gniibe at fsij dot org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_file_loc bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created
Message-ID: <bug-22425-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-11/txt/msg00000.txt.bz2
Content-length: 860

https://sourceware.org/bugzilla/show_bug.cgi?id=22425

            Bug ID: 22425
           Summary: Escape by \ with REG_ICASE
           Product: glibc
           Version: unspecified
               URL: https://dev.gnupg.org/T2923
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: gniibe at fsij dot org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 10583
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10583&action=edit
Test program to show regcomp bug

With REG_ICASE, escape by \ (backslash) doesn't work well.
Regexp of \x\y\z is expected to match string of xyz with REG_ICASE.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-719-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 08:34:56 2017
Return-Path: <glibc-bugs-regex-return-719-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 57220 invoked by alias); 13 Nov 2017 08:34:55 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 57184 invoked by uid 48); 13 Nov 2017 08:34:52 -0000
From: "schwab@linux-m68k.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/22425] Escape by \ with REG_ICASE
Date: Mon, 13 Nov 2017 08:34:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: schwab@linux-m68k.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-22425-132-y83UFcBEix@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-22425-132@http.sourceware.org/bugzilla/>
References: <bug-22425-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-11/txt/msg00001.txt.bz2
Content-length: 254

https://sourceware.org/bugzilla/show_bug.cgi?id=22425

--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
Unknown backslash escapes invoke undefined behaviour.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-720-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Dec 08 18:32:05 2017
Return-Path: <glibc-bugs-regex-return-720-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 76232 invoked by alias); 8 Dec 2017 18:32:05 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 76183 invoked by uid 48); 8 Dec 2017 18:32:01 -0000
From: "eggert at cs dot ucla.edu" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/11053] Wrong results with backreferences
Date: Fri, 08 Dec 2017 18:32:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.11
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: eggert at cs dot ucla.edu
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: bonzini at gnu dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: cc attachments.created
Message-ID: <bug-11053-132-rjuGGNXofF@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/>
References: <bug-11053-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-12/txt/msg00000.txt.bz2
Content-length: 1003

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

eggert at cs dot ucla.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |eggert at cs dot ucla.edu

--- Comment #6 from eggert at cs dot ucla.edu ---
Created attachment 10674
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10674&action=edit
This test case silently returns the wrong answer

Following up on a 'grep' bug report here:

https://debbugs.gnu.org/29613

attached is a seemingly-related test case which illustrates a bug that causes
'grep' to quietly return the wrong answer instead of dumping core. This test
case should exit successfully, but because of the bug regexec returns 0 so the
test case exits with status 1. I compiled and ran it on Fedora 27 x86-64 with
"gcc regbug.c; ./a.out".

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-721-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Sat Dec 16 19:13:37 2017
Return-Path: <glibc-bugs-regex-return-721-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 17182 invoked by alias); 16 Dec 2017 19:13:37 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 17150 invoked by uid 48); 16 Dec 2017 19:13:33 -0000
From: "jim at meyering dot net" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s
Date: Sat, 16 Dec 2017 19:13:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.28
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jim at meyering dot net
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-22620-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-12/txt/msg00001.txt.bz2
Content-length: 1512

https://sourceware.org/bugzilla/show_bug.cgi?id=22620

            Bug ID: 22620
           Summary: parse_expression blows stack for a 20k-byte regexp
                    with only '('s
           Product: glibc
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: jim at meyering dot net
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

glibc's regexp parser used to diagnose this problem with "Unmatched ( or \(",
but that no longer happens. Perhaps related (since COMPILE_STACK_ macros are
what caught the problem before), this change in 2002 removed the code in
question:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=51f38e87b13f233bdf76bd6d3edaabf4fd9eb126

Now, attempting to compile such a regexp causes stack overflow and probable
segfault.

Demonstrate with this:

$ cat regex-compile-lparen-stack-overflow.c 
#include <stdlib.h>
#include <string.h>
#include <regex.h>

int
main (int argc, char **argv)
{
  size_t n = 40000;
  regex_t preg;
  char *pat = malloc (n+1);
  if (!pat) return 2;
  memset (pat, '(', n);
  pat[n] = '\0';
  int rc = regcomp (&preg, pat, REG_EXTENDED);
  return rc == 0;
}
$ gcc -g -O -Wall regex-compile-lparen-stack-overflow.c && ./a.out
segmentation fault (core dumped)  ./a.out

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 17356 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[eggert at gnu dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Paul Eggert <eggert at gnu dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |eggert at gnu dot org
              Flags|                            |security+

--- Comment #2 from Paul Eggert <eggert at gnu dot org> ---
I ran into what appears to be the same bug independently and came up with a
simpler (all-C) reproducer; please see Bug#17356.  I tried to merge the two bug
reports via the web interface, but failed to do so.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug regex/11053] Wrong results with backreferences

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|security-                   |

-- 
You are receiving this mail because:
You are on the CC list for the bug.