public inbox for glibc-bugs-regex@sourceware.org help / color / mirror / Atom feed
From: "eggert at gnu dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/11053] Wrong results with backreferences Date: Tue, 17 Jan 2017 21:24:00 -0000 [thread overview] Message-ID: <bug-11053-132-16R2D9aQAz@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=11053 --- Comment #4 from Paul Eggert <eggert at gnu dot org> --- This bug causes GNU coreutils Bug#22793 "grep -E assertion failure with back references"; see <https://bugs.gnu.org/22793>. I'm adding comments to both bug reports so that the connection between the two bugs is clearer. Although this bug's current assignee is Paolo Bonzini (the original reporter), I think Paolo is pretty busy doing other stuff. Is someone else available to work on regex bugs? I suspect the fix for this bug will not be trivial. -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-708-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Jan 17 22:02:06 2017 Return-Path: <glibc-bugs-regex-return-708-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 2143 invoked by alias); 17 Jan 2017 22:02:06 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 1971 invoked by uid 48); 17 Jan 2017 22:01:53 -0000 From: "eggert at gnu dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/11053] Wrong results with backreferences Date: Tue, 17 Jan 2017 22:02:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: eggert at gnu dot org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bonzini at gnu dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: attachments.created Message-ID: <bug-11053-132-IQT2Z8iYEe@http.sourceware.org/bugzilla/> In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/> References: <bug-11053-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-01/txt/msg00001.txt.bz2 Content-length: 573 https://sourceware.org/bugzilla/show_bug.cgi?id=11053 --- Comment #5 from Paul Eggert <eggert at gnu dot org> --- Created attachment 9758 --> https://sourceware.org/bugzilla/attachment.cgi?id=9758&action=edit C code to reproduce the bug I attached a slightly-simpler C-language reproducer for the bug, derived from the attachment in Bug#17356. If I compile and run this program, it outputs "a.out: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed." and then aborts. -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-709-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:54:37 2017 Return-Path: <glibc-bugs-regex-return-709-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 1150 invoked by alias); 14 Feb 2017 18:54:37 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 964 invoked by uid 48); 14 Feb 2017 18:54:24 -0000 From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21163] New: Assertion failure in pop_fail_stack when executing a malformed regexp Date: Tue, 14 Feb 2017 18:54:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.24 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone flagtypes.name Message-ID: <bug-21163-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-02/txt/msg00000.txt.bz2 Content-length: 1141 https://sourceware.org/bugzilla/show_bug.cgi?id=21163 Bug ID: 21163 Summary: Assertion failure in pop_fail_stack when executing a malformed regexp Product: glibc Version: 2.24 Status: NEW Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Flags: security- Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392 Reproducer from the Debian bug: #include <assert.h> #include <regex.h> #include <stdio.h> int main(int argc, char **argv) { int rc; regex_t preg; regmatch_t pmatch[2]; rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); assert(rc == 0); regexec(&preg, "", 2, pmatch, 0); regfree(&preg); return 0; } This was assigned CVE-2015-8985 even though it is debatable whether this is a security bug. -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-710-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:55:56 2017 Return-Path: <glibc-bugs-regex-return-710-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 3146 invoked by alias); 14 Feb 2017 18:55:56 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 2776 invoked by uid 48); 14 Feb 2017 18:55:43 -0000 From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985) Date: Tue, 14 Feb 2017 18:55:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.24 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: short_desc Message-ID: <bug-21163-132-UgkCc8DrBS@http.sourceware.org/bugzilla/> In-Reply-To: <bug-21163-132@http.sourceware.org/bugzilla/> References: <bug-21163-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-02/txt/msg00001.txt.bz2 Content-length: 604 https://sourceware.org/bugzilla/show_bug.cgi?id=21163 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Assertion failure in |Assertion failure in |pop_fail_stack when |pop_fail_stack when |executing a malformed |executing a malformed |regexp |regexp (CVE-2015-8985) -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-711-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Feb 15 08:13:38 2017 Return-Path: <glibc-bugs-regex-return-711-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 33184 invoked by alias); 15 Feb 2017 08:13:38 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 33049 invoked by uid 48); 15 Feb 2017 08:13:25 -0000 From: "vapier at gentoo dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985) Date: Wed, 15 Feb 2017 08:13:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.24 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vapier at gentoo dot org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: see_also Message-ID: <bug-21163-132-2dtZa0VCDn@http.sourceware.org/bugzilla/> In-Reply-To: <bug-21163-132@http.sourceware.org/bugzilla/> References: <bug-21163-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-02/txt/msg00002.txt.bz2 Content-length: 469 https://sourceware.org/bugzilla/show_bug.cgi?id=21163 Mike Frysinger <vapier at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.gentoo.org/sho | |w_bug.cgi?id=609386 -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-712-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Mar 15 17:34:53 2017 Return-Path: <glibc-bugs-regex-return-712-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 106215 invoked by alias); 15 Mar 2017 17:34:53 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 106107 invoked by uid 48); 15 Mar 2017 17:34:47 -0000 From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/14780] [PATCH] handle malloc() and realloc() failures in regcomp() Date: Wed, 15 Mar 2017 17:34:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: bug_status Message-ID: <bug-14780-132-0shxdXmHdT@http.sourceware.org/bugzilla/> In-Reply-To: <bug-14780-132@http.sourceware.org/bugzilla/> References: <bug-14780-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-03/txt/msg00000.txt.bz2 Content-length: 375 https://sourceware.org/bugzilla/show_bug.cgi?id=14780 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|WAITING |NEW -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-713-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Apr 28 01:30:50 2017 Return-Path: <glibc-bugs-regex-return-713-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 28897 invoked by alias); 28 Apr 2017 01:30:36 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 28284 invoked by uid 48); 28 Apr 2017 01:30:02 -0000 From: "boehme.marcel at gmail dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] New: Crash in re_search_stub Date: Fri, 28 Apr 2017 01:30:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: boehme.marcel at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: <bug-21442-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-04/txt/msg00000.txt.bz2 Content-length: 7168 https://sourceware.org/bugzilla/show_bug.cgi?id=21442 Bug ID: 21442 Summary: Crash in re_search_stub Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Dear all, We found a null pointer dereference resulting in a segmentation fault, that might be a bug in diffutils or a bug in GLIBC depending on the perspective one takes. The patch can be in GLIBC (introducing a simple null pointer check) or in Diffutils (preventing the null pointer dereference altogether). We already reported the bug downstream at https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26690. Below we provide a quick analysis. We think, it is actually an incorrect use of GLIBC. However, since it can be easily prevented in GLIBC, we thought we should report it here as well. This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Van-Thuan Pham. How to reproduce: $ diff -Ia -I\\ <(printf "") <(echo a) diff: \: Trailing backslash diff: stack overflow ASAN says: ASAN:DEADLYSIGNAL ================================================================= ==74668==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d8 (pc 0x7f0670589bad bp 0x000000000000 sp 0x7ffefbed15b0 T0) #0 0x7f0670589bac in re_search_stub /build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414 #1 0x7f067058a527 in re_search /build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:312 #2 0x555bfc in analyze_hunk /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/util.c:1522:8 #3 0x4f91dd in diff_2_files /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/analyze.c:620:12 #4 0x528971 in compare_files /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:1434:11 #5 0x51882c in main /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:800:18 #6 0x7f06704c4f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287 #7 0x41bac5 in _start (/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/diff+0x41bac5) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414 in re_search_stub This is our analysis: For the diff-tool the argument -I<regexp> specifies the changed lines to exclude. For each such argument, the function add_regexp in diff.c is called. This function uses re_compile_pattern to successfully compile the first pattern. However, it fails to compile the second pattern, giving the error “Trailing backslash”. In both cases, the function uses the re_pattern_buffer *ignore_regexp. However, the failed compilation corrupts *ignore_regexp, setting ignore_regexp->buffer=0x0 and ignore_regexp->allocated=0. Later, in function summarize_regexp_list, it is established that at least one pattern was successfully compiled and ignore_regexp->fastmap is set, indicating that re_search is being called in utils.c:1501. Unfortunately, it is being called on the corrupted ignore_regexp where ignore_regexp->buf = 0x0. GLIBC does not check for a null-pointer when derefencing the buffer in regexec.c:413. GDB says: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>, string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1, stop=1, regs=0x0, ret_len=0) at regexec.c:413 413 in regexec.c (gdb) p *bufp $1 = {buffer = 0x0, allocated = 0, used = 224, syntax = 330310, fastmap = 0x6271f0 "\330\036\335\367\377\177", translate = 0x0, re_nsub = 0, can_be_null = 0, regs_allocated = 0, fastmap_accurate = 0, no_sub = 0, not_bol = 0, not_eol = 0, newline_anchor = 1} (gdb) bt #0 0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>, string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1, stop=1, regs=0x0, ret_len=0) at regexec.c:413 #1 0x00007ffff7af5a70 in __re_search (bufp=<optimized out>, string=string@entry=0x62a050 "a\n", length=<optimized out>, start=start@entry=0, range=<optimized out>, regs=regs@entry=0x0) at regexec.c:317 #2 0x000000000040ce1e in analyze_hunk (hunk=hunk@entry=0x627340, first0=first0@entry=0x7fffffffdf80, last0=last0@entry=0x7fffffffdf88, first1=first1@entry=0x7fffffffdf90, last1=last1@entry=0x7fffffffdf98) at util.c:1522 #3 0x000000000040507d in diff_2_files (cmp=cmp@entry=0x7fffffffe060) at analyze.c:620 #4 0x00000000004071f7 in compare_files (parent=parent@entry=0x0, name0=0x7fffffffe6ec "/dev/fd/63", name1=<optimized out>) at diff.c:1434 #5 0x000000000040387e in main (argc=<optimized out>, argv=<optimized out>) at diff.c:800 VALGRIND says: ==103798== Memcheck, a memory error detector ==103798== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==103798== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==103798== Command: src/diff -Ia -I\\ /dev/fd/63 /dev/fd/62 ==103798== src/diff: \: Trailing backslash ==103798== Invalid read of size 4 ==103798== at 0x4F21056: re_search_stub (regexec.c:413) ==103798== by 0x4F21A6F: re_search (regexec.c:317) ==103798== by 0x40CE1D: analyze_hunk (util.c:1522) ==103798== by 0x40507C: diff_2_files (analyze.c:620) ==103798== by 0x4071F6: compare_files (diff.c:1434) ==103798== by 0x40387D: main (diff.c:800) ==103798== Address 0xd8 is not stack'd, malloc'd or (recently) free'd ==103798== diff: stack overflow ==103798== ==103798== HEAP SUMMARY: ==103798== in use at exit: 4,970 bytes in 25 blocks ==103798== total heap usage: 75 allocs, 50 frees, 28,030 bytes allocated ==103798== ==103798== LEAK SUMMARY: ==103798== definitely lost: 136 bytes in 5 blocks ==103798== indirectly lost: 120 bytes in 6 blocks ==103798== possibly lost: 0 bytes in 0 blocks ==103798== still reachable: 4,714 bytes in 14 blocks ==103798== suppressed: 0 bytes in 0 blocks ==103798== Rerun with --leak-check=full to see details of leaked memory ==103798== ==103798== For counts of detected and suppressed errors, rerun with: -v ==103798== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Best regards, - Marcel --- Marcel Böhme Senior Research Fellow TSUNAMi Security Research Centre National University of Singapore -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-714-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon May 01 13:50:19 2017 Return-Path: <glibc-bugs-regex-return-714-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 89508 invoked by alias); 1 May 2017 13:50:19 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 89416 invoked by uid 48); 1 May 2017 13:50:14 -0000 From: "adhemerval.zanella at linaro dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] Crash in re_search_stub Date: Mon, 01 May 2017 13:50:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: adhemerval.zanella at linaro dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: <bug-21442-132-b2CHASdziM@http.sourceware.org/bugzilla/> In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/> References: <bug-21442-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-05/txt/msg00000.txt.bz2 Content-length: 1446 https://sourceware.org/bugzilla/show_bug.cgi?id=21442 Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adhemerval.zanella at linaro dot o | |rg --- Comment #1 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> --- Since re_exec is an GNU extension this API corner case should be documented and afaik unfortunately they aren't (using the gnulib documentation [1]). For these cases I tend to follow, if possible, the POSIX inspired API. On POSIX regular expression API [2] states that: "[...] If the preg argument to regexec() or regfree() is not a compiled regular expression returned by regcomp(), the result is undefined. [...]" So if I understood correctly the issue description, it is using an invalid regular expression buffer description on re_search (since the expression compilation failed). IMHO we should treat this as undefined (as POSIX counterpart) and let the user handle it correctly. In a short, I would say we should close this as not a bug. [1] https://www.gnu.org/software/gnulib/manual/html_node/GNU-Searching.html [2] http://pubs.opengroup.org/onlinepubs/9699919799/ -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-715-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 02 00:43:33 2017 Return-Path: <glibc-bugs-regex-return-715-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 83386 invoked by alias); 2 May 2017 00:43:32 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 83289 invoked by uid 48); 2 May 2017 00:43:29 -0000 From: "boehme.marcel at gmail dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] Crash in re_search_stub Date: Tue, 02 May 2017 00:43:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: boehme.marcel at gmail dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: <bug-21442-132-g41Bpp6me3@http.sourceware.org/bugzilla/> In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/> References: <bug-21442-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-05/txt/msg00001.txt.bz2 Content-length: 537 https://sourceware.org/bugzilla/show_bug.cgi?id=21442 Marcel Böhme <boehme.marcel at gmail dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID --- Comment #2 from Marcel Böhme <boehme.marcel at gmail dot com> --- Agreed. Thanks! -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-716-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 30 19:41:46 2017 Return-Path: <glibc-bugs-regex-return-716-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 30618 invoked by alias); 30 May 2017 19:41:45 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 30414 invoked by uid 48); 30 May 2017 19:41:41 -0000 From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] Crash in re_search_stub Date: Tue, 30 May 2017 19:41:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: cc flagtypes.name Message-ID: <bug-21442-132-YgNnGsjhKA@http.sourceware.org/bugzilla/> In-Reply-To: <bug-21442-132@http.sourceware.org/bugzilla/> References: <bug-21442-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-05/txt/msg00002.txt.bz2 Content-length: 456 https://sourceware.org/bugzilla/show_bug.cgi?id=21442 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security- -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-717-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Jun 26 10:08:16 2017 Return-Path: <glibc-bugs-regex-return-717-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 13244 invoked by alias); 26 Jun 2017 10:08:16 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 13166 invoked by uid 48); 26 Jun 2017 10:08:12 -0000 From: "bensberg at telfort dot nl" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21673] New: a regexec call with REG_STARTEND finds a bogus match for \> Date: Mon, 26 Jun 2017 10:08:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bensberg at telfort dot nl X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: <bug-21673-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-06/txt/msg00000.txt.bz2 Content-length: 1524 https://sourceware.org/bugzilla/show_bug.cgi?id=21673 Bug ID: 21673 Summary: a regexec call with REG_STARTEND finds a bogus match for \> Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: bensberg at telfort dot nl CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 10222 --> https://sourceware.org/bugzilla/attachment.cgi?id=10222&action=edit tiny program that searches for \> starting from two different positions When calling regexec with the REG_STARTEND flag and providing an end-of-range value (in .rm_eo) that points to somewhere in the middle of a word, regexec will nevertheless find a match for \> at that offset. The corresponding case for \<, with a start-of-range value (in .rm_so) that points to the middle of a word, will /not/ find a match for \< there. The latter is what I expected, the former was a surprise. To reproduce: Compile the attached until.c and run it. The actual output is: Found tail at 6: '. ' Found tail at 4: 'rd. ' Expected result: The second line of output shouldn't have been there, because the word does not end after "wo". First seen on Ubuntu Lucid (10.04). Still present on Ubuntu Zesty (17.04, glibc 2.24). -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-718-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 00:52:38 2017 Return-Path: <glibc-bugs-regex-return-718-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 118734 invoked by alias); 13 Nov 2017 00:52:38 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 118559 invoked by uid 48); 13 Nov 2017 00:52:34 -0000 From: "gniibe at fsij dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/22425] New: Escape by \ with REG_ICASE Date: Mon, 13 Nov 2017 00:52:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: gniibe at fsij dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_file_loc bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: <bug-22425-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-11/txt/msg00000.txt.bz2 Content-length: 860 https://sourceware.org/bugzilla/show_bug.cgi?id=22425 Bug ID: 22425 Summary: Escape by \ with REG_ICASE Product: glibc Version: unspecified URL: https://dev.gnupg.org/T2923 Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: gniibe at fsij dot org CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 10583 --> https://sourceware.org/bugzilla/attachment.cgi?id=10583&action=edit Test program to show regcomp bug With REG_ICASE, escape by \ (backslash) doesn't work well. Regexp of \x\y\z is expected to match string of xyz with REG_ICASE. -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-719-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 08:34:56 2017 Return-Path: <glibc-bugs-regex-return-719-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 57220 invoked by alias); 13 Nov 2017 08:34:55 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 57184 invoked by uid 48); 13 Nov 2017 08:34:52 -0000 From: "schwab@linux-m68k.org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/22425] Escape by \ with REG_ICASE Date: Mon, 13 Nov 2017 08:34:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: schwab@linux-m68k.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: <bug-22425-132-y83UFcBEix@http.sourceware.org/bugzilla/> In-Reply-To: <bug-22425-132@http.sourceware.org/bugzilla/> References: <bug-22425-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-11/txt/msg00001.txt.bz2 Content-length: 254 https://sourceware.org/bugzilla/show_bug.cgi?id=22425 --- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> --- Unknown backslash escapes invoke undefined behaviour. -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-720-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Dec 08 18:32:05 2017 Return-Path: <glibc-bugs-regex-return-720-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 76232 invoked by alias); 8 Dec 2017 18:32:05 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 76183 invoked by uid 48); 8 Dec 2017 18:32:01 -0000 From: "eggert at cs dot ucla.edu" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/11053] Wrong results with backreferences Date: Fri, 08 Dec 2017 18:32:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: eggert at cs dot ucla.edu X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bonzini at gnu dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: <bug-11053-132-rjuGGNXofF@http.sourceware.org/bugzilla/> In-Reply-To: <bug-11053-132@http.sourceware.org/bugzilla/> References: <bug-11053-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-12/txt/msg00000.txt.bz2 Content-length: 1003 https://sourceware.org/bugzilla/show_bug.cgi?id=11053 eggert at cs dot ucla.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |eggert at cs dot ucla.edu --- Comment #6 from eggert at cs dot ucla.edu --- Created attachment 10674 --> https://sourceware.org/bugzilla/attachment.cgi?id=10674&action=edit This test case silently returns the wrong answer Following up on a 'grep' bug report here: https://debbugs.gnu.org/29613 attached is a seemingly-related test case which illustrates a bug that causes 'grep' to quietly return the wrong answer instead of dumping core. This test case should exit successfully, but because of the bug regexec returns 0 so the test case exits with status 1. I compiled and ran it on Fedora 27 x86-64 with "gcc regbug.c; ./a.out". -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-regex-return-721-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Sat Dec 16 19:13:37 2017 Return-Path: <glibc-bugs-regex-return-721-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 17182 invoked by alias); 16 Dec 2017 19:13:37 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs-regex.sourceware.org> List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs-regex@sourceware.org> List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 17150 invoked by uid 48); 16 Dec 2017 19:13:33 -0000 From: "jim at meyering dot net" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s Date: Sat, 16 Dec 2017 19:13:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.28 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: jim at meyering dot net X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: <bug-22620-132@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-12/txt/msg00001.txt.bz2 Content-length: 1512 https://sourceware.org/bugzilla/show_bug.cgi?id=22620 Bug ID: 22620 Summary: parse_expression blows stack for a 20k-byte regexp with only '('s Product: glibc Version: 2.28 Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: jim at meyering dot net CC: drepper.fsp at gmail dot com Target Milestone: --- glibc's regexp parser used to diagnose this problem with "Unmatched ( or \(", but that no longer happens. Perhaps related (since COMPILE_STACK_ macros are what caught the problem before), this change in 2002 removed the code in question: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=51f38e87b13f233bdf76bd6d3edaabf4fd9eb126 Now, attempting to compile such a regexp causes stack overflow and probable segfault. Demonstrate with this: $ cat regex-compile-lparen-stack-overflow.c #include <stdlib.h> #include <string.h> #include <regex.h> int main (int argc, char **argv) { size_t n = 40000; regex_t preg; char *pat = malloc (n+1); if (!pat) return 2; memset (pat, '(', n); pat[n] = '\0'; int rc = regcomp (&preg, pat, REG_EXTENDED); return rc == 0; } $ gcc -g -O -Wall regex-compile-lparen-stack-overflow.c && ./a.out segmentation fault (core dumped) ./a.out -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2017-01-17 21:24 UTC|newest] Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <bug-11053-132@http.sourceware.org/bugzilla/> 2014-06-30 20:34 ` fweimer at redhat dot com 2014-06-30 20:34 ` fweimer at redhat dot com 2014-09-23 2:28 ` eggert at gnu dot org 2014-09-23 7:55 ` fweimer at redhat dot com 2017-01-17 21:24 ` eggert at gnu dot org [this message] 2021-02-06 7:37 ` eggert at cs dot ucla.edu 2021-03-04 7:33 ` mliska at suse dot cz 2021-08-16 0:55 ` sam at gentoo dot org 2021-08-16 7:08 ` simon_a_taylor at yahoo dot com 2021-08-25 5:10 ` michael.hudson at canonical dot com 2021-08-25 18:09 ` eggert at cs dot ucla.edu 2021-09-21 15:00 ` cvs-commit at gcc dot gnu.org 2022-09-05 23:06 ` vincent-srcware at vinc17 dot net 2022-09-06 0:37 ` eggert at cs dot ucla.edu 2022-09-06 2:47 ` vincent-srcware at vinc17 dot net 2022-09-06 2:59 ` vincent-srcware at vinc17 dot net 2022-09-06 18:47 ` eggert at cs dot ucla.edu 2022-09-06 22:56 ` vincent-srcware at vinc17 dot net 2022-09-06 23:41 ` eggert at cs dot ucla.edu 2022-09-07 0:17 ` vincent-srcware at vinc17 dot net 2022-09-07 4:31 ` eggert at cs dot ucla.edu 2022-09-07 10:31 ` vincent-srcware at vinc17 dot net 2022-09-07 20:57 ` eggert at cs dot ucla.edu 2022-09-08 11:44 ` vincent-srcware at vinc17 dot net 2022-11-11 16:29 ` cvs-commit at gcc dot gnu.org 2009-12-04 19:36 [Bug regex/11053] New: Segfault on invalid backreference bonzini at gnu dot org 2010-04-09 17:46 ` [Bug regex/11053] Wrong results with backreferences bonzini at gnu dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-11053-132-16R2D9aQAz@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs-regex@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).