From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26142 invoked by alias); 12 Sep 2013 17:21:54 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Received: (qmail 26093 invoked by uid 48); 12 Sep 2013 17:21:50 -0000 From: "makovick at gmail dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/14780] [PATCH] handle malloc() and realloc() failures in regcomp() Date: Thu, 12 Sep 2013 17:21:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: makovick at gmail dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-09/txt/msg00001.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=14780 --- Comment #7 from Jindrich Makovicka --- (In reply to Rich Felker from comment #6) > Are there any actual cases where malloc failure is not checked? I reviewed > regcomp.c briefly and it seems the result is eventually (just not > immediately) checked before use. However, there are major leaks when malloc > has failed, since multiple results are checked together and no effort is > made to free the ones that did succeed. I do not really recall anymore if there _really_ was a segfault, or it was only caused when I tried to free such partially compiled regex using regfree(). But you can insert the fuzzing code from the first patch, consisting of xxmalloc and xxrealloc from regcomp.c and #defines from regcomp.h, and run the attached testcase with, say, 100000 iterations and look what happens. The memory leaks are obviously real, and were the main reason I was looking into this. -- You are receiving this mail because: You are on the CC list for the bug.