public inbox for glibc-bugs-regex@sourceware.org
help / color / mirror / Atom feed
From: "eggert at gnu dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/11053] Wrong results with backreferences
Date: Tue, 17 Jan 2017 21:24:00 -0000 [thread overview]
Message-ID: <bug-11053-132-16R2D9aQAz@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=11053
--- Comment #4 from Paul Eggert <eggert at gnu dot org> ---
This bug causes GNU coreutils Bug#22793 "grep -E assertion failure with back
references"; see <https://bugs.gnu.org/22793>. I'm adding comments to both bug
reports so that the connection between the two bugs is clearer.
Although this bug's current assignee is Paolo Bonzini (the original reporter),
I think Paolo is pretty busy doing other stuff. Is someone else available to
work on regex bugs? I suspect the fix for this bug will not be trivial.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-708-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Jan 17 22:02:06 2017
Return-Path: <glibc-bugs-regex-return-708-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 2143 invoked by alias); 17 Jan 2017 22:02:06 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 1971 invoked by uid 48); 17 Jan 2017 22:01:53 -0000
From: "eggert at gnu dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/11053] Wrong results with backreferences
Date: Tue, 17 Jan 2017 22:02:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.11
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: eggert at gnu dot org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: bonzini at gnu dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: attachments.created
Message-ID: <bug-11053-132-IQT2Z8iYEe@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/>
References: <bug-11053-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-01/txt/msg00001.txt.bz2
Content-length: 573
https://sourceware.org/bugzilla/show_bug.cgi?id=11053
--- Comment #5 from Paul Eggert <eggert at gnu dot org> ---
Created attachment 9758
--> https://sourceware.org/bugzilla/attachment.cgi?id=9758&action=edit
C code to reproduce the bug
I attached a slightly-simpler C-language reproducer for the bug, derived from
the attachment in Bug#17356. If I compile and run this program, it outputs
"a.out: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed." and then
aborts.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-709-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:54:37 2017
Return-Path: <glibc-bugs-regex-return-709-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 1150 invoked by alias); 14 Feb 2017 18:54:37 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 964 invoked by uid 48); 14 Feb 2017 18:54:24 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21163] New: Assertion failure in pop_fail_stack when executing a malformed regexp
Date: Tue, 14 Feb 2017 18:54:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.24
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone flagtypes.name
Message-ID: <bug-21163-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-02/txt/msg00000.txt.bz2
Content-length: 1141
https://sourceware.org/bugzilla/show_bug.cgi?id=21163
Bug ID: 21163
Summary: Assertion failure in pop_fail_stack when executing a
malformed regexp
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Flags: security-
Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392
Reproducer from the Debian bug:
#include <assert.h>
#include <regex.h>
#include <stdio.h>
int main(int argc, char **argv)
{
int rc;
regex_t preg;
regmatch_t pmatch[2];
rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
assert(rc == 0);
regexec(&preg, "", 2, pmatch, 0);
regfree(&preg);
return 0;
}
This was assigned CVE-2015-8985 even though it is debatable whether this is a
security bug.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-710-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:55:56 2017
Return-Path: <glibc-bugs-regex-return-710-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 3146 invoked by alias); 14 Feb 2017 18:55:56 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 2776 invoked by uid 48); 14 Feb 2017 18:55:43 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985)
Date: Tue, 14 Feb 2017 18:55:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.24
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: short_desc
Message-ID: <bug-21163-132-UgkCc8DrBS@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21163-132@http.sourceware.org/bugzilla/>
References: <bug-21163-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-02/txt/msg00001.txt.bz2
Content-length: 604
https://sourceware.org/bugzilla/show_bug.cgi?id=21163
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Assertion failure in |Assertion failure in
|pop_fail_stack when |pop_fail_stack when
|executing a malformed |executing a malformed
|regexp |regexp (CVE-2015-8985)
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-711-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Feb 15 08:13:38 2017
Return-Path: <glibc-bugs-regex-return-711-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 33184 invoked by alias); 15 Feb 2017 08:13:38 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 33049 invoked by uid 48); 15 Feb 2017 08:13:25 -0000
From: "vapier at gentoo dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985)
Date: Wed, 15 Feb 2017 08:13:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.24
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: vapier at gentoo dot org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: see_also
Message-ID: <bug-21163-132-2dtZa0VCDn@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21163-132@http.sourceware.org/bugzilla/>
References: <bug-21163-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-02/txt/msg00002.txt.bz2
Content-length: 469
https://sourceware.org/bugzilla/show_bug.cgi?id=21163
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.gentoo.org/sho
| |w_bug.cgi?id=609386
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-712-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Mar 15 17:34:53 2017
Return-Path: <glibc-bugs-regex-return-712-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 106215 invoked by alias); 15 Mar 2017 17:34:53 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 106107 invoked by uid 48); 15 Mar 2017 17:34:47 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/14780] [PATCH] handle malloc() and realloc() failures in regcomp()
Date: Wed, 15 Mar 2017 17:34:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_status
Message-ID: <bug-14780-132-0shxdXmHdT@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-14780-132@http.sourceware.org/bugzilla/>
References: <bug-14780-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-03/txt/msg00000.txt.bz2
Content-length: 375
https://sourceware.org/bugzilla/show_bug.cgi?id=14780
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |NEW
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-713-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Apr 28 01:30:50 2017
Return-Path: <glibc-bugs-regex-return-713-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 28897 invoked by alias); 28 Apr 2017 01:30:36 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 28284 invoked by uid 48); 28 Apr 2017 01:30:02 -0000
From: "boehme.marcel at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] New: Crash in re_search_stub
Date: Fri, 28 Apr 2017 01:30:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: boehme.marcel at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-04/txt/msg00000.txt.bz2
Content-length: 7168
https://sourceware.org/bugzilla/show_bug.cgi?id=21442
Bug ID: 21442
Summary: Crash in re_search_stub
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: boehme.marcel at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Dear all,
We found a null pointer dereference resulting in a segmentation fault, that
might be a bug in diffutils or a bug in GLIBC depending on the perspective one
takes. The patch can be in GLIBC (introducing a simple null pointer check) or
in Diffutils (preventing the null pointer dereference altogether). We already
reported the bug downstream at
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26690. Below we provide a quick
analysis. We think, it is actually an incorrect use of GLIBC. However, since it
can be easily prevented in GLIBC, we thought we should report it here as well.
This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Van-Thuan Pham.
How to reproduce:
$ diff -Ia -I\\ <(printf "") <(echo a)
diff: \: Trailing backslash
diff: stack overflow
ASAN says:
ASAN:DEADLYSIGNAL
=================================================================
==74668==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d8 (pc
0x7f0670589bad bp 0x000000000000 sp 0x7ffefbed15b0 T0)
#0 0x7f0670589bac in re_search_stub
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414
#1 0x7f067058a527 in re_search
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:312
#2 0x555bfc in analyze_hunk
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/util.c:1522:8
#3 0x4f91dd in diff_2_files
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/analyze.c:620:12
#4 0x528971 in compare_files
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:1434:11
#5 0x51882c in main
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:800:18
#6 0x7f06704c4f44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
#7 0x41bac5 in _start
(/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/diff+0x41bac5)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414 in re_search_stub
This is our analysis:
For the diff-tool the argument -I<regexp> specifies the changed lines to
exclude. For each such argument, the function add_regexp in diff.c is called.
This function uses re_compile_pattern to successfully compile the first
pattern. However, it fails to compile the second pattern, giving the error
“Trailing backslash”. In both cases, the function uses the re_pattern_buffer
*ignore_regexp. However, the failed compilation corrupts *ignore_regexp,
setting ignore_regexp->buffer=0x0 and ignore_regexp->allocated=0. Later, in
function summarize_regexp_list, it is established that at least one pattern was
successfully compiled and ignore_regexp->fastmap is set, indicating that
re_search is being called in utils.c:1501. Unfortunately, it is being called on
the corrupted ignore_regexp where ignore_regexp->buf = 0x0. GLIBC does not
check for a null-pointer when derefencing the buffer in regexec.c:413.
GDB says:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>,
string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1,
stop=1, regs=0x0, ret_len=0) at regexec.c:413
413 in regexec.c
(gdb) p *bufp
$1 = {buffer = 0x0, allocated = 0, used = 224, syntax = 330310, fastmap =
0x6271f0 "\330\036\335\367\377\177", translate = 0x0, re_nsub = 0, can_be_null
= 0, regs_allocated = 0, fastmap_accurate = 0, no_sub = 0, not_bol = 0, not_eol
= 0, newline_anchor = 1}
(gdb) bt
#0 0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>,
string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1,
stop=1, regs=0x0, ret_len=0) at regexec.c:413
#1 0x00007ffff7af5a70 in __re_search (bufp=<optimized out>,
string=string@entry=0x62a050 "a\n", length=<optimized out>,
start=start@entry=0, range=<optimized out>, regs=regs@entry=0x0) at
regexec.c:317
#2 0x000000000040ce1e in analyze_hunk (hunk=hunk@entry=0x627340,
first0=first0@entry=0x7fffffffdf80, last0=last0@entry=0x7fffffffdf88,
first1=first1@entry=0x7fffffffdf90, last1=last1@entry=0x7fffffffdf98) at
util.c:1522
#3 0x000000000040507d in diff_2_files (cmp=cmp@entry=0x7fffffffe060) at
analyze.c:620
#4 0x00000000004071f7 in compare_files (parent=parent@entry=0x0,
name0=0x7fffffffe6ec "/dev/fd/63", name1=<optimized out>) at diff.c:1434
#5 0x000000000040387e in main (argc=<optimized out>, argv=<optimized out>) at
diff.c:800
VALGRIND says:
==103798== Memcheck, a memory error detector
==103798== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==103798== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==103798== Command: src/diff -Ia -I\\ /dev/fd/63 /dev/fd/62
==103798==
src/diff: \: Trailing backslash
==103798== Invalid read of size 4
==103798== at 0x4F21056: re_search_stub (regexec.c:413)
==103798== by 0x4F21A6F: re_search (regexec.c:317)
==103798== by 0x40CE1D: analyze_hunk (util.c:1522)
==103798== by 0x40507C: diff_2_files (analyze.c:620)
==103798== by 0x4071F6: compare_files (diff.c:1434)
==103798== by 0x40387D: main (diff.c:800)
==103798== Address 0xd8 is not stack'd, malloc'd or (recently) free'd
==103798==
diff: stack overflow
==103798==
==103798== HEAP SUMMARY:
==103798== in use at exit: 4,970 bytes in 25 blocks
==103798== total heap usage: 75 allocs, 50 frees, 28,030 bytes allocated
==103798==
==103798== LEAK SUMMARY:
==103798== definitely lost: 136 bytes in 5 blocks
==103798== indirectly lost: 120 bytes in 6 blocks
==103798== possibly lost: 0 bytes in 0 blocks
==103798== still reachable: 4,714 bytes in 14 blocks
==103798== suppressed: 0 bytes in 0 blocks
==103798== Rerun with --leak-check=full to see details of leaked memory
==103798==
==103798== For counts of detected and suppressed errors, rerun with: -v
==103798== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Best regards,
- Marcel
---
Marcel Böhme
Senior Research Fellow
TSUNAMi Security Research Centre
National University of Singapore
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-714-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon May 01 13:50:19 2017
Return-Path: <glibc-bugs-regex-return-714-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 89508 invoked by alias); 1 May 2017 13:50:19 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 89416 invoked by uid 48); 1 May 2017 13:50:14 -0000
From: "adhemerval.zanella at linaro dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] Crash in re_search_stub
Date: Mon, 01 May 2017 13:50:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: adhemerval.zanella at linaro dot org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-21442-132-b2CHASdziM@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/>
References: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-05/txt/msg00000.txt.bz2
Content-length: 1446
https://sourceware.org/bugzilla/show_bug.cgi?id=21442
Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |adhemerval.zanella at linaro dot o
| |rg
--- Comment #1 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Since re_exec is an GNU extension this API corner case should be documented and
afaik unfortunately they aren't (using the gnulib documentation [1]).
For these cases I tend to follow, if possible, the POSIX inspired API. On POSIX
regular expression API [2] states that:
"[...] If the preg argument to regexec() or regfree() is not a compiled regular
expression returned by regcomp(), the result is undefined. [...]"
So if I understood correctly the issue description, it is using an invalid
regular expression buffer description on re_search (since the expression
compilation failed). IMHO we should treat this as undefined (as POSIX
counterpart) and let the user handle it correctly. In a short, I would say we
should close this as not a bug.
[1] https://www.gnu.org/software/gnulib/manual/html_node/GNU-Searching.html
[2] http://pubs.opengroup.org/onlinepubs/9699919799/
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-715-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 02 00:43:33 2017
Return-Path: <glibc-bugs-regex-return-715-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 83386 invoked by alias); 2 May 2017 00:43:32 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 83289 invoked by uid 48); 2 May 2017 00:43:29 -0000
From: "boehme.marcel at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] Crash in re_search_stub
Date: Tue, 02 May 2017 00:43:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: boehme.marcel at gmail dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-21442-132-g41Bpp6me3@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/>
References: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-05/txt/msg00001.txt.bz2
Content-length: 537
https://sourceware.org/bugzilla/show_bug.cgi?id=21442
Marcel Böhme <boehme.marcel at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #2 from Marcel Böhme <boehme.marcel at gmail dot com> ---
Agreed. Thanks!
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-716-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 30 19:41:46 2017
Return-Path: <glibc-bugs-regex-return-716-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 30618 invoked by alias); 30 May 2017 19:41:45 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 30414 invoked by uid 48); 30 May 2017 19:41:41 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21442] Crash in re_search_stub
Date: Tue, 30 May 2017 19:41:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: cc flagtypes.name
Message-ID: <bug-21442-132-YgNnGsjhKA@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/>
References: <bug-21442-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-05/txt/msg00002.txt.bz2
Content-length: 456
https://sourceware.org/bugzilla/show_bug.cgi?id=21442
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-717-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Jun 26 10:08:16 2017
Return-Path: <glibc-bugs-regex-return-717-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 13244 invoked by alias); 26 Jun 2017 10:08:16 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 13166 invoked by uid 48); 26 Jun 2017 10:08:12 -0000
From: "bensberg at telfort dot nl" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/21673] New: a regexec call with REG_STARTEND finds a bogus match for \>
Date: Mon, 26 Jun 2017 10:08:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: bensberg at telfort dot nl
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created
Message-ID: <bug-21673-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-06/txt/msg00000.txt.bz2
Content-length: 1524
https://sourceware.org/bugzilla/show_bug.cgi?id=21673
Bug ID: 21673
Summary: a regexec call with REG_STARTEND finds a bogus match
for \>
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: bensberg at telfort dot nl
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 10222
--> https://sourceware.org/bugzilla/attachment.cgi?id=10222&action=edit
tiny program that searches for \> starting from two different positions
When calling regexec with the REG_STARTEND flag and providing
an end-of-range value (in .rm_eo) that points to somewhere in
the middle of a word, regexec will nevertheless find a match
for \> at that offset. The corresponding case for \<, with a
start-of-range value (in .rm_so) that points to the middle of
a word, will /not/ find a match for \< there. The latter is
what I expected, the former was a surprise.
To reproduce:
Compile the attached until.c and run it.
The actual output is:
Found tail at 6: '. '
Found tail at 4: 'rd. '
Expected result:
The second line of output shouldn't have been there, because
the word does not end after "wo".
First seen on Ubuntu Lucid (10.04). Still present on Ubuntu
Zesty (17.04, glibc 2.24).
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-718-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 00:52:38 2017
Return-Path: <glibc-bugs-regex-return-718-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 118734 invoked by alias); 13 Nov 2017 00:52:38 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 118559 invoked by uid 48); 13 Nov 2017 00:52:34 -0000
From: "gniibe at fsij dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/22425] New: Escape by \ with REG_ICASE
Date: Mon, 13 Nov 2017 00:52:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: gniibe at fsij dot org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_file_loc bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created
Message-ID: <bug-22425-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-11/txt/msg00000.txt.bz2
Content-length: 860
https://sourceware.org/bugzilla/show_bug.cgi?id=22425
Bug ID: 22425
Summary: Escape by \ with REG_ICASE
Product: glibc
Version: unspecified
URL: https://dev.gnupg.org/T2923
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: gniibe at fsij dot org
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 10583
--> https://sourceware.org/bugzilla/attachment.cgi?id=10583&action=edit
Test program to show regcomp bug
With REG_ICASE, escape by \ (backslash) doesn't work well.
Regexp of \x\y\z is expected to match string of xyz with REG_ICASE.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-719-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 08:34:56 2017
Return-Path: <glibc-bugs-regex-return-719-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 57220 invoked by alias); 13 Nov 2017 08:34:55 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 57184 invoked by uid 48); 13 Nov 2017 08:34:52 -0000
From: "schwab@linux-m68k.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/22425] Escape by \ with REG_ICASE
Date: Mon, 13 Nov 2017 08:34:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: schwab@linux-m68k.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-22425-132-y83UFcBEix@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-22425-132@http.sourceware.org/bugzilla/>
References: <bug-22425-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-11/txt/msg00001.txt.bz2
Content-length: 254
https://sourceware.org/bugzilla/show_bug.cgi?id=22425
--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
Unknown backslash escapes invoke undefined behaviour.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-720-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Dec 08 18:32:05 2017
Return-Path: <glibc-bugs-regex-return-720-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 76232 invoked by alias); 8 Dec 2017 18:32:05 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 76183 invoked by uid 48); 8 Dec 2017 18:32:01 -0000
From: "eggert at cs dot ucla.edu" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/11053] Wrong results with backreferences
Date: Fri, 08 Dec 2017 18:32:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.11
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: eggert at cs dot ucla.edu
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: bonzini at gnu dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: cc attachments.created
Message-ID: <bug-11053-132-rjuGGNXofF@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/>
References: <bug-11053-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-12/txt/msg00000.txt.bz2
Content-length: 1003
https://sourceware.org/bugzilla/show_bug.cgi?id=11053
eggert at cs dot ucla.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |eggert at cs dot ucla.edu
--- Comment #6 from eggert at cs dot ucla.edu ---
Created attachment 10674
--> https://sourceware.org/bugzilla/attachment.cgi?id=10674&action=edit
This test case silently returns the wrong answer
Following up on a 'grep' bug report here:
https://debbugs.gnu.org/29613
attached is a seemingly-related test case which illustrates a bug that causes
'grep' to quietly return the wrong answer instead of dumping core. This test
case should exit successfully, but because of the bug regexec returns 0 so the
test case exits with status 1. I compiled and ran it on Fedora 27 x86-64 with
"gcc regbug.c; ./a.out".
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-721-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Sat Dec 16 19:13:37 2017
Return-Path: <glibc-bugs-regex-return-721-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 17182 invoked by alias); 16 Dec 2017 19:13:37 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 17150 invoked by uid 48); 16 Dec 2017 19:13:33 -0000
From: "jim at meyering dot net" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s
Date: Sat, 16 Dec 2017 19:13:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.28
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jim at meyering dot net
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-22620-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2017-12/txt/msg00001.txt.bz2
Content-length: 1512
https://sourceware.org/bugzilla/show_bug.cgi?id=22620
Bug ID: 22620
Summary: parse_expression blows stack for a 20k-byte regexp
with only '('s
Product: glibc
Version: 2.28
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: jim at meyering dot net
CC: drepper.fsp at gmail dot com
Target Milestone: ---
glibc's regexp parser used to diagnose this problem with "Unmatched ( or \(",
but that no longer happens. Perhaps related (since COMPILE_STACK_ macros are
what caught the problem before), this change in 2002 removed the code in
question:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=51f38e87b13f233bdf76bd6d3edaabf4fd9eb126
Now, attempting to compile such a regexp causes stack overflow and probable
segfault.
Demonstrate with this:
$ cat regex-compile-lparen-stack-overflow.c
#include <stdlib.h>
#include <string.h>
#include <regex.h>
int
main (int argc, char **argv)
{
size_t n = 40000;
regex_t preg;
char *pat = malloc (n+1);
if (!pat) return 2;
memset (pat, '(', n);
pat[n] = '\0';
int rc = regcomp (&preg, pat, REG_EXTENDED);
return rc == 0;
}
$ gcc -g -O -Wall regex-compile-lparen-stack-overflow.c && ./a.out
segmentation fault (core dumped) ./a.out
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2017-01-17 21:24 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-11053-132@http.sourceware.org/bugzilla/>
2014-06-30 20:34 ` fweimer at redhat dot com
2014-06-30 20:34 ` fweimer at redhat dot com
2014-09-23 2:28 ` eggert at gnu dot org
2014-09-23 7:55 ` fweimer at redhat dot com
2017-01-17 21:24 ` eggert at gnu dot org [this message]
2021-02-06 7:37 ` eggert at cs dot ucla.edu
2021-03-04 7:33 ` mliska at suse dot cz
2021-08-16 0:55 ` sam at gentoo dot org
2021-08-16 7:08 ` simon_a_taylor at yahoo dot com
2021-08-25 5:10 ` michael.hudson at canonical dot com
2021-08-25 18:09 ` eggert at cs dot ucla.edu
2021-09-21 15:00 ` cvs-commit at gcc dot gnu.org
2022-09-05 23:06 ` vincent-srcware at vinc17 dot net
2022-09-06 0:37 ` eggert at cs dot ucla.edu
2022-09-06 2:47 ` vincent-srcware at vinc17 dot net
2022-09-06 2:59 ` vincent-srcware at vinc17 dot net
2022-09-06 18:47 ` eggert at cs dot ucla.edu
2022-09-06 22:56 ` vincent-srcware at vinc17 dot net
2022-09-06 23:41 ` eggert at cs dot ucla.edu
2022-09-07 0:17 ` vincent-srcware at vinc17 dot net
2022-09-07 4:31 ` eggert at cs dot ucla.edu
2022-09-07 10:31 ` vincent-srcware at vinc17 dot net
2022-09-07 20:57 ` eggert at cs dot ucla.edu
2022-09-08 11:44 ` vincent-srcware at vinc17 dot net
2022-11-11 16:29 ` cvs-commit at gcc dot gnu.org
2009-12-04 19:36 [Bug regex/11053] New: Segfault on invalid backreference bonzini at gnu dot org
2010-04-09 17:46 ` [Bug regex/11053] Wrong results with backreferences bonzini at gnu dot org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-11053-132-16R2D9aQAz@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs-regex@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).