This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: More regex bugs
- From: Daniel Jacobowitz <drow at mvista dot com>
- To: libc-alpha at sources dot redhat dot com
- Date: Sun, 17 Nov 2002 11:52:18 -0500
- Subject: Re: More regex bugs
- References: <20021109023422.GA26229@nevyn.them.org>
On Fri, Nov 08, 2002 at 09:34:22PM -0500, Daniel Jacobowitz wrote:
> Consider this program:
>
> #include <sys/types.h>
> #include <regex.h>
>
> int main()
> {
> regex_t reg;
> regmatch_t pm[1];
> regcomp (®, "man", REG_ICASE);
> return regexec (®, "pipenightdreams", 1, pm, 0);
> }
>
> This triggers two warnings from valgrind. One's easy, one's harder.
>
> The first one is line 663 in regexec.c:
> 662 /* Eliminate inappropriate one by fastmap. */
> 663 if (preg->can_be_null || fastmap == NULL || fastmap[ch])
> 664 {
>
> preg->can_be_null is not initialized to 0 (or at all).
>
> The second is:
> ==13497== Invalid read of size 1
> ==13497== at 0x402FDD6C: re_string_context_at (../include/ctype.h:28)
> ==13497== by 0x402FDB30: re_string_reconstruct (regex_internal.c:442)
> ==13497== by 0x402F8A84: re_search_internal (regexec.c:672)
> ==13497== by 0x402F8250: __regexec (regexec.c:209)
>
> #0 re_string_context_at (input=0xbffff4f0, idx=12, eflags=0, newline_anchor=0) at regex_internal.c:530
> #1 0x400c7b30 in re_string_reconstruct (pstr=0xbffff4f0, idx=13, eflags=0, newline=0)
> at regex_internal.c:439
> #2 0x400c2a84 in re_search_internal (preg=0xbffff5c8, string=0x80484c8 "pipenightdreams", length=15,
> start=0, range=77, stop=-1073744656, nmatch=1, pmatch=0xbffff5c0, eflags=0) at regexec.c:667
> #3 0x400c2250 in __regexec (preg=0xbffff5c8, string=0xc <Address 0xc out of bounds>, nmatch=1,
> pmatch=0xbffff5c0, eflags=0) at regexec.c:209
> #4 0x08048459 in main () at reg.c:10
>
> We call re_string_byte_at using an idx of 12. The mbs[] buffer is only five
> bytes long. Of that I think that only the first byte is initialized, or
> none of it is initialized... yes, it is completely uninitialized.
> build_upper_buffer doesn't get called until further down
> re_string_reconstruct.
>
> (gdb) p *input
> $6 = {raw_mbs = 0x80484c8 "pipenightdreams", mbs = 0x80497d8 "p\232\004\b",
> mbs_case = 0x80484c8 "pipenightdreams", wcs = 0x0, cur_state = {__count = 0, __value = {__wch = 0,
> __wchb = "\0\0\0"}}, raw_mbs_idx = 0, valid_len = 0, bufs_len = 5, cur_idx = 0, len = 15,
> stop = 15, tip_context = 6, trans = 0x0, icase = 1}
>
> I don't think it's safe to call re_string_context_at yet. But I've given up
> trying to figure out what is going on here... calling re_string_context_at
> when valid_len is 0 is definitely a losing proposition. Someone else will
> have to figure out what to do in this one.
Has anyone had a chance to look at this? This same bug causes a
segfault in 'apropos -k lmcs' on a Debian system; I'm not sure if it is
reproducible on a Red Hat system due to the different version of
man-db and different database, but it may still show up in valgrind.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer