From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24576 invoked by alias); 11 Oct 2010 21:46:59 -0000 Received: (qmail 24568 invoked by uid 22791); 11 Oct 2010 21:46:58 -0000 X-SWARE-Spam-Status: No, hits=-2.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,MISSING_MID,TW_EG X-Spam-Check-By: sourceware.org Received: from localhost (HELO sourceware.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 11 Oct 2010 21:46:55 +0000 From: "ppluzhnikov at google dot com" To: glibc-bugs@sources.redhat.com Subject: [Bug libc/12078] regcomp with invalid expression leaks memory X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ppluzhnikov at google dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: drepper.fsp at gmail dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: In-Reply-To: References: X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Mon, 11 Oct 2010 21:46:00 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org X-SW-Source: 2010-10/txt/msg00071.txt.bz2 Message-ID: <20101011214600.-YeN1uxFezXMWzoUfOQK_W9S-tulvj6Kbsox6mOry74@z> http://sourceware.org/bugzilla/show_bug.cgi?id=12078 --- Comment #4 from Paul Pluzhnikov 2010-10-11 21:46:51 UTC --- Created attachment 5050 --> http://sourceware.org/bugzilla/attachment.cgi?id=5050 slightly modified form of posix/bug-regex31.c Only the specific instance of the bug has been fixed, but regcomp() can still leak arbitrary amount of memory :-( I've modified the test case to allow REGEX to be specified on command line. Here is what I see: gcc -g /tmp/bug-regex31.c valgrind --leak-check=yes ./a.out ... ==29536== in use at exit: 32 bytes in 1 blocks ... (This is *before* the fix.) gcc -g /tmp/bug-regex31.c -Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out ... ==29829== in use at exit: 0 bytes in 0 blocks (This is after the fix, so far so good.) But: gcc -g '-DREGEX="([0]([0])"' /tmp/bug-regex31.c -Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out ==30196== definitely lost: 64 bytes in 2 blocks gcc -g '-DREGEX="([0]([0])([0])"' /tmp/bug-regex31.c -Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out ==30260== definitely lost: 96 bytes in 3 blocks gcc -g '-DREGEX="([0]([0])([0])([0])"' /tmp/bug-regex31.c -Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out ==30328== definitely lost: 128 bytes in 4 blocks -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.