From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15676 invoked by alias); 26 Feb 2015 19:14:07 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Received: (qmail 15349 invoked by uid 48); 26 Feb 2015 19:14:03 -0000 From: "konstantin.s.serebryany at gmail dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/18037] New: infinite recursion (stack overflow) in regexec.c (sift_states_bkref->sift_states_backward->update_cur_sifted_state) Date: Thu, 26 Feb 2015 19:14:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.21 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00009.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18037 Bug ID: 18037 Summary: infinite recursion (stack overflow) in regexec.c (sift_states_bkref->sift_states_backward->update_cur_s ifted_state) Product: glibc Version: 2.21 Status: NEW Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: konstantin.s.serebryany at gmail dot com CC: drepper.fsp at gmail dot com #include int main() { regex_t r; if (!regcomp(&r, "()\\1++", REG_EXTENDED)) regexec(&r, "foo.*bar", 0, 0, 0); } gcc -g re1.c && ./a.out #0 0x00007ffff7aeb1ec in re_acquire_state (err=err@entry=0x7fffff7ff0e0, dfa=dfa@entry=0x602120, nodes=nodes@entry=0x7fffff7ff190) at regex_internal.c:1480 #1 0x00007ffff7aed91d in add_epsilon_src_nodes (candidates=0x602b38, dest_nodes=0x7fffff7ff190, dfa=0x602120) at regexec.c:1825 #2 update_cur_sifted_state (mctx=mctx@entry=0x7fffffffdb50, sctx=sctx@entry=0x7fffff7ff290, str_idx=str_idx@entry=0, dest_nodes=dest_nodes@entry=0x7fffff7ff190) at regexec.c:1789 #3 0x00007ffff7aee428 in sift_states_backward (mctx=mctx@entry=0x7fffffffdb50, sctx=sctx@entry=0x7fffff7ff290) at regexec.c:1614 #4 0x00007ffff7aedd69 in sift_states_bkref (candidates=0x602b38, str_idx=0, sctx=, mctx=0x7fffffffdb50) at regexec.c:2199 #5 update_cur_sifted_state (mctx=mctx@entry=0x7fffffffdb50, sctx=sctx@entry=0x7fffff7ff440, str_idx=str_idx@entry=0, dest_nodes=dest_nodes@entry=0x7fffff7ff340) at regexec.c:1810 #6 0x00007ffff7aee428 in sift_states_backward (mctx=mctx@entry=0x7fffffffdb50, sctx=sctx@entry=0x7fffff7ff440) at regexec.c:1614 #7 0x00007ffff7aedd69 in sift_states_bkref (candidates=0x602b38, str_idx=0, sctx=, mctx=0x7fffffffdb50) at regexec.c:2199 ... Reproduces on 2.19 and trunk. I am not sure if this bug is too interesting by itself, but my fuzzer hits it instantly and does not let me find anything more exciting. (Same fuzzer as in bug 18032 and bug 18036) -- You are receiving this mail because: You are on the CC list for the bug.