From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 2D33C3858413; Sun,  2 Oct 2022 07:10:42 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2D33C3858413
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1664694642;
	bh=cNgwm52N1tsjkzJGSjswbW0x+L/ihH1/DHHbQvuL9SI=;
	h=From:To:Subject:Date:From;
	b=caOXCiTsy+YyQgawBCYcEx3L9tttuZSypZmHZ5nkmZwDU6a6JYYQ4F6Yk5xw8xFy+
	 ckIJXKvfGxFEr1qC7Qgpwu71C1XGSNlT15nR+MHutBV4nYidBj9zRlAM6GUnXtmqA6
	 tjK8BoslZl04xp58GyRgmkBrBulT6ppv3XyblJtQ=
From: "linjy0410 at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/29642] New: `regcomp` with multiple adjacent plus sign
 would exhaust memory quickly
Date: Sun, 02 Oct 2022 07:10:41 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: linjy0410 at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-29642-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <glibc-bugs-regex.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D29642

            Bug ID: 29642
           Summary: `regcomp` with multiple adjacent plus sign would
                    exhaust memory quickly
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: linjy0410 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Hi! We found that in the latest pull, when `regcomp` with `REG_EXTENDED` is
compiling pattern with multiple adjacent '+', like
"1*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
++++++++++",
the memory would be exhausted very quickly.
Because in `duplicate_tree` it exponentially calls `create_token_tree` which
malloc all the memory, looks like it's easy to cause serious DOS.
Checked the regex specification that said "multiple adjacent duplication
symbols ( '+', '*', '?', and intervals) produces undefined results.", and s=
eems
like other regex implementation have handled this, maybe glibc needs to han=
dle
it too?

--=20
You are receiving this mail because:
You are on the CC list for the bug.=