[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring
|
From: |
Jim Meyering |
|
Subject: |
bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case |
|
Date: |
Mon, 21 Jan 2019 16:38:20 -0800 |
On Mon, Jan 21, 2019 at 11:32 AM Paul Eggert <address@hidden> wrote:
> Thanks for the bug report. I tracked it down to a read buffer overrun in
> glibc's
> regexec.c and filed a bug report with a fix here:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=24114
>
> glibc is frozen right now (it's just before the glibc 2.29 release), so most
> likely the bug fix will appear in glibc 2.30. I plan to propagate the fix into
> Gnulib (and therefore into grep) shortly after glibc 2.29 is released.
Thanks, Paul.
For the record, here's a small reproducer:
printf xxxxxxxxxxxxxx |valgrind src/grep -i '\(\(\)*.\)*\1'
which induces this:
==10527== Invalid read of size 1
==10527== at 0x483F0F5: bcmp (vg_replace_strmem.c:1113)
==10527== by 0x420B96: proceed_next_node (regexec.c:1296)
==10527== by 0x420B96: set_regs (regexec.c:1453)
==10527== by 0x422956: re_search_internal (regexec.c:864)
==10527== by 0x42700E: re_search_stub (regexec.c:425)
==10527== by 0x42775F: rpl_re_search (regexec.c:289)
==10527== by 0x405524: EGexecute (dfasearch.c:357)
==10527== by 0x406B9F: grepbuf (grep.c:1395)
==10527== by 0x407C5C: grep (grep.c:1567)
==10527== by 0x407C5C: grepdesc (grep.c:1849)
==10527== by 0x404277: grep_command_line_arg (grep.c:1891)
==10527== by 0x404277: main (grep.c:2938)
==10527== Address 0x4b0eabe is 0 bytes after a block of size 14 alloc'd
==10527== at 0x483AD19: realloc (vg_replace_malloc.c:836)
==10527== by 0x41A2F3: re_string_realloc_buffers (regex_internal.c:168)
==10527== by 0x41AE0D: extend_buffers (regexec.c:4067)
==10527== by 0x4218C2: get_subexp (regexec.c:2747)
==10527== by 0x4218C2: transit_state_bkref.isra.0 (regexec.c:2566)
==10527== by 0x421AD9: merge_state_with_log (regexec.c:2349)
==10527== by 0x422747: check_matching (regexec.c:1139)
==10527== by 0x422747: re_search_internal (regexec.c:805)
==10527== by 0x42700E: re_search_stub (regexec.c:425)
==10527== by 0x42775F: rpl_re_search (regexec.c:289)
==10527== by 0x405524: EGexecute (dfasearch.c:357)
==10527== by 0x406B9F: grepbuf (grep.c:1395)
==10527== by 0x407C5C: grep (grep.c:1567)
==10527== by 0x407C5C: grepdesc (grep.c:1849)
==10527== by 0x404277: grep_command_line_arg (grep.c:1891)
==10527== by 0x404277: main (grep.c:2938)
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, Hongxu Chen, 2019/01/20
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, Paul Eggert, 2019/01/21
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case,
Jim Meyering <=
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, arnold, 2019/01/22
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, Paul Eggert, 2019/01/22
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, arnold, 2019/01/23
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, Paul Eggert, 2019/01/25
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, arnold, 2019/01/26
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, Paul Eggert, 2019/01/31
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, Bruce Dubbs, 2019/01/31
- bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case, Paul Eggert, 2019/01/31