This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: More regex bugs

From: Daniel Jacobowitz <drow at mvista dot com>
To: libc-alpha at sources dot redhat dot com
Date: Sun, 17 Nov 2002 11:52:18 -0500
Subject: Re: More regex bugs
References: <20021109023422.GA26229@nevyn.them.org>

On Fri, Nov 08, 2002 at 09:34:22PM -0500, Daniel Jacobowitz wrote:
> Consider this program:
> 
> #include <sys/types.h>
> #include <regex.h>
> 
> int main()
> {
>   regex_t reg;
>   regmatch_t pm[1];
>   regcomp (&reg, "man", REG_ICASE);
>   return regexec (&reg, "pipenightdreams", 1, pm, 0);
> }
> 
> This triggers two warnings from valgrind.  One's easy, one's harder.
> 
> The first one is line 663 in regexec.c:
> 662           /* Eliminate inappropriate one by fastmap.  */
> 663           if (preg->can_be_null || fastmap == NULL || fastmap[ch])
> 664             {
> 
> preg->can_be_null is not initialized to 0 (or at all).
> 
> The second is:
> ==13497== Invalid read of size 1
> ==13497==    at 0x402FDD6C: re_string_context_at (../include/ctype.h:28)
> ==13497==    by 0x402FDB30: re_string_reconstruct (regex_internal.c:442)
> ==13497==    by 0x402F8A84: re_search_internal (regexec.c:672)
> ==13497==    by 0x402F8250: __regexec (regexec.c:209)
> 
> #0  re_string_context_at (input=0xbffff4f0, idx=12, eflags=0, newline_anchor=0) at regex_internal.c:530
> #1  0x400c7b30 in re_string_reconstruct (pstr=0xbffff4f0, idx=13, eflags=0, newline=0)
>     at regex_internal.c:439
> #2  0x400c2a84 in re_search_internal (preg=0xbffff5c8, string=0x80484c8 "pipenightdreams", length=15,
>     start=0, range=77, stop=-1073744656, nmatch=1, pmatch=0xbffff5c0, eflags=0) at regexec.c:667
> #3  0x400c2250 in __regexec (preg=0xbffff5c8, string=0xc <Address 0xc out of bounds>, nmatch=1,
>     pmatch=0xbffff5c0, eflags=0) at regexec.c:209
> #4  0x08048459 in main () at reg.c:10
> 
> We call re_string_byte_at using an idx of 12.  The mbs[] buffer is only five
> bytes long.  Of that I think that only the first byte is initialized, or
> none of it is initialized... yes, it is completely uninitialized. 
> build_upper_buffer doesn't get called until further down
> re_string_reconstruct.
> 
> (gdb) p *input
> $6 = {raw_mbs = 0x80484c8 "pipenightdreams", mbs = 0x80497d8 "p\232\004\b", 
>   mbs_case = 0x80484c8 "pipenightdreams", wcs = 0x0, cur_state = {__count = 0, __value = {__wch = 0, 
>       __wchb = "\0\0\0"}}, raw_mbs_idx = 0, valid_len = 0, bufs_len = 5, cur_idx = 0, len = 15, 
>   stop = 15, tip_context = 6, trans = 0x0, icase = 1}
> 
> I don't think it's safe to call re_string_context_at yet.  But I've given up
> trying to figure out what is going on here... calling re_string_context_at
> when valid_len is 0 is definitely a losing proposition.  Someone else will
> have to figure out what to do in this one.

Has anyone had a chance to look at this?  This same bug causes a
segfault in 'apropos -k lmcs' on a Debian system; I'm not sure if it is
reproducible on a Red Hat system due to the different version of
man-db and different database, but it may still show up in valgrind.

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer

References:
- More regex bugs
  - From: Daniel Jacobowitz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]