public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug regex/17069] New: leak in regcomp
@ 2014-06-19  5:53 konstantin.s.serebryany at gmail dot com
  2014-06-19 14:46 ` [Bug regex/17069] " fweimer at redhat dot com
                   ` (9 more replies)
  0 siblings, 10 replies; 11+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2014-06-19  5:53 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17069

            Bug ID: 17069
           Summary: leak in regcomp
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com

regcomp has a memory leak. Present in ancient 2.15 and in fresh trunk.

clang -fsanitize=address -g ./r.c && ASAN_OPTIONS=fast_unwind_on_malloc=0
./a.out 1


==1371==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4943d9 in calloc
    #1 0x7fa25a3e57c3 in parse_bracket_exp glibc-trunk/posix/regcomp.c:3045
    #2 0x7fa25a3e57c3 in parse_expression glibc-trunk/posix/regcomp.c:2265
    #3 0x7fa25a3e9181 in parse_branch glibc-trunk/posix/regcomp.c:2193
    #4 0x7fa25a3e9408 in parse_reg_exp glibc-trunk/posix/regcomp.c:2145
    #5 0x7fa25a3ea156 in parse glibc-trunk/posix/regcomp.c:2114
    #6 0x7fa25a3ea156 in re_compile_internal glibc-trunk/posix/regcomp.c:794
    #7 0x7fa25a3ece0f in __regcomp glibc-trunk/posix/regcomp.c:501
    #8 0x4b2c6e in main r.c:8

Valgrind sees it too: 
gcc -std=c99 -g ./r.c && valgrind --leak-check=full ./a.out 1
==1895== 32 bytes in 1 blocks are definitely lost in loss record 1 of 1
==1895==    at 0x4C2B1B8: calloc (vg_replace_malloc.c:618)
==1895==    by 0x4F145DE: parse_expression (regcomp.c:3057)
==1895==    by 0x4F1246F: parse_branch (regcomp.c:2170)
==1895==    by 0x4F127BD: parse_reg_exp (regcomp.c:2122)
==1895==    by 0x4F12CBF: re_compile_internal (regcomp.c:2091)
==1895==    by 0x4F16E7E: regcomp (regcomp.c:506)
==1895==    by 0x4005E9: main (r.c:8)

Running this test with large number of iterations you can see the leak in 'top'


#include <regex.h>
#include <stdlib.h>

int main(int argc, char **argv) {
  long n = argc == 2 ? atol(argv[1]) : 1;
  for (long i = 0; i < n; i++) {
    regex_t r;
    regcomp(&r, "[^[][:alpha:][:up[^perword:]\\{-2(?<!27,}�\\p.o\n"
               
"]�����+)][:x[digit:]]\\P{^Gothic}{-109,}^{235}NNNN{214,}{-83}\\z\\w", 0);
    regfree(&r);
  } 
}   

Found with the help of regfuzz

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-23885-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Jun 19 06:25:12 2014
Return-Path: <glibc-bugs-return-23885-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 8325 invoked by alias); 19 Jun 2014 06:25:11 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 8284 invoked by uid 48); 19 Jun 2014 06:25:07 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/14254] __wur on scanf and related functions is wrong
Date: Thu, 19 Jun 2014 06:25:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: stdio
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: flagtypes.name
Message-ID: <bug-14254-131-ziRa2PGQXV@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-14254-131@http.sourceware.org/bugzilla/>
References: <bug-14254-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-06/txt/msg01261.txt.bz2
Content-length: 378

https://sourceware.org/bugzilla/show_bug.cgi?id\x14254

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

--
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread
end of thread, other threads:[~2015-02-18 14:31 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-19  5:53 [Bug regex/17069] New: leak in regcomp konstantin.s.serebryany at gmail dot com
2014-06-19 14:46 ` [Bug regex/17069] " fweimer at redhat dot com
2014-06-19 17:01 ` cvs-commit at gcc dot gnu.org
2014-06-19 20:35 ` schwab@linux-m68k.org
2014-06-20  4:08 ` konstantin.s.serebryany at gmail dot com
2014-06-20  4:09 ` konstantin.s.serebryany at gmail dot com
2014-06-20  4:41 ` konstantin.s.serebryany at gmail dot com
2014-06-20 12:04 ` cvs-commit at gcc dot gnu.org
2014-06-20 12:06 ` schwab@linux-m68k.org
2014-06-20 12:28 ` konstantin.s.serebryany at gmail dot com
2015-02-18 14:31 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).