This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] handle malloc() and realloc() failures in regcomp()

From: Jindřich Makovička <makovick at gmail dot com>
To: libc-alpha at sourceware dot org
Date: Sun, 28 Oct 2012 19:41:48 +0100
Subject: [PATCH] handle malloc() and realloc() failures in regcomp()
References: <CAHmvugfJ0X07z4okznW9_6PXZFWpxUDc2zFyrsB+CucG7mAaFQ@mail.gmail.com>

From: JindÅich MakoviÄka <makovick@gmail.com>
Date: Sun, Oct 28, 2012 at 2:17 PM
Subject: [PATCH] handle malloc() and realloc() failures in regcomp()
To: patches@eglibc.org
Cc: JindÅich MakoviÄka <makovick@gmail.com>

Hi,

currently, regcomp() misses a lot of checks for memory allocation
failures, and it also does not properly release memory on error paths.
This means a malloc error usually causes either a SEGV or a memory
leak.

The attached patch
(0001-handle-malloc-and-realloc-failures-in-regcomp.patch) adds the
return value checks and
memory deallocation on failures.

I have been debugging this issue by fuzzing re_malloc() and
re_realloc(), making them randomly return NULL. The patch with added
fuzzing is attached as regex-fuzzed.diff . testcase.c has been used to
exercise the modified regcomp().
Memory violations or leaks have been tested using valgrind: valgrind
--leak-check=full --show-reachable=yes --trace-children=yes
./testrun.sh ./testcase

Regards,
--
JindÅich MakoviÄka

Attachment: regex-fuzzed.diff
Description: Binary data

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <regex.h>

int main()
{
    int r, i;
    regex_t regexp;

    for (i = 0;i < 11235; i++) {
        memset(&regexp, 0, sizeof(regex_t));
        fprintf(stderr, "====\n");
        r = regcomp(&regexp, "^"
                    "(/([0-9]+)(-([a-z]+))(\\.das|\\.dsadsad)?\\.qewqw)"
                    "|(/([0-9]+)/([0-9]+)(\\.dsasda|\\.dasd)?\\.qweqw)"
                    "|(/([0-9]+)/([0-9]+)/([0-9]+)/([0-9]+)(-wer([0-9]+))?(-fdsfds([0-9]+))?(\\.[qweqwe])?(\\.adsas|\\.dsasd)?\\.dasd)"
                    "|(/fasdkjlds/([a-z]+)/([0-9]+)/([0-9]+)([0-9]+)?/([0-9]+)([0-9]+)?(\\.asds|\\.dsasd)?\\.dasdas)"
                    "|(/werruwoe/([0-9]+)(/([0-9]+))?\\.rtewui)"
                    "|(/czxczxcvzx/([a-z]+)/([0-9]+)/([0-9]+)(/([0-9]+))?(\\.ytert|\\.tert)?\\.qwwerqwe)"
                    "|(/([0-9]+)-qweqw-([a-z]+)(-([0-9]+)(-([0-9]+))?)?(\\.qweqwe|\\.tretr)?\\.fsdfsd)"
                    "|(/vxvxzcvz/([a-z]+)/([0-9]+)/([0-9]+)/([0-9]+)(\\.czxcv|\\.jhgjh)?\\.czxc)"
                    "$", REG_EXTENDED);
        if (r == 0) {
            regfree(&regexp);
        }
    }

    return 0;
}

Attachment: 0001-handle-malloc-and-realloc-failures-in-regcomp.patch
Description: Binary data

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]