This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12078] regcomp with invalid expression leaks memory
- From: "ppluzhnikov at google dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Mon, 11 Oct 2010 21:46:53 +0000
- Subject: [Bug libc/12078] regcomp with invalid expression leaks memory
- Auto-submitted: auto-generated
- References: <bug-12078-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
--- Comment #4 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2010-10-11 21:46:51 UTC ---
Created attachment 5050
--> http://sourceware.org/bugzilla/attachment.cgi?id=5050
slightly modified form of posix/bug-regex31.c
Only the specific instance of the bug has been fixed, but regcomp() can still
leak arbitrary amount of memory :-(
I've modified the test case to allow REGEX to be specified on command line.
Here is what I see:
gcc -g /tmp/bug-regex31.c
valgrind --leak-check=yes ./a.out
...
==29536== in use at exit: 32 bytes in 1 blocks
...
(This is *before* the fix.)
gcc -g /tmp/bug-regex31.c -Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind
--leak-check=yes ./a.out
...
==29829== in use at exit: 0 bytes in 0 blocks
(This is after the fix, so far so good.)
But:
gcc -g '-DREGEX="([0]([0])"' /tmp/bug-regex31.c
-Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out
==30196== definitely lost: 64 bytes in 2 blocks
gcc -g '-DREGEX="([0]([0])([0])"' /tmp/bug-regex31.c
-Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out
==30260== definitely lost: 96 bytes in 3 blocks
gcc -g '-DREGEX="([0]([0])([0])([0])"' /tmp/bug-regex31.c
-Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out
==30328== definitely lost: 128 bytes in 4 blocks
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.