This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/12078] regcomp with invalid expression leaks memory


http://sourceware.org/bugzilla/show_bug.cgi?id=12078

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #6 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2010-10-12 04:58:29 UTC ---
(In reply to comment #5)
> Try the current git code.

Thanks. This fixed all the patterns I had so far.

However, this pattern still leaks: "([0]([0]([0([0])".
Making a systematic/exhaustive search ...

The smallest pattern that causes a leak is 4-characters.
Here are all 4-character patterns that currently cause a leak:

[[][
[[](
[0][
[0](
[(][
[(](
[)][
[)](
[]][
[]](

All of the above leak 1 32-byte chunk, and there is a definite pattern to them,
so probably all are caused by the same bug:

==12334== 320 bytes in 10 blocks are definitely lost in loss record 1 of 1
==12334==    at 0x4C24185: calloc
/tmp/vg/coregrind/m_replacemalloc/vg_replace_malloc.c:506
==12334==    by 0x4EE61D8: parse_expression /glibc-git/posix/regcomp.c:3028
==12334==    by 0x4EE7B80: parse_branch /glibc-git/posix/regcomp.c:2153
==12334==    by 0x4EE7C9D: parse_reg_exp /glibc-git/posix/regcomp.c:2112
==12334==    by 0x4EE80B0: re_compile_internal /glibc-git/posix/regcomp.c:2081
==12334==    by 0x4EE9320: regcomp /glibc-git/posix/regcomp.c:500
==12334==    by 0x400764: main /tmp/build-glibc-git/bug-regex31.c:23

Extending to all possible 5-character patterns, I see what appears to be two
new leaks (in addition to the one above):

==12555== 960 bytes in 30 blocks are definitely lost in loss record 2 of 3
==12555==    at 0x4C24185: calloc
/tmp/vg/coregrind/m_replacemalloc/vg_replace_malloc.c:506
==12555==    by 0x4EE61D8: parse_expression /glibc-git/posix/regcomp.c:3028
==12555==    by 0x4EE7BBF: parse_branch /glibc-git/posix/regcomp.c:2160
==12555==    by 0x4EE7C9D: parse_reg_exp /glibc-git/posix/regcomp.c:2112
==12555==    by 0x4EE80B0: re_compile_internal /glibc-git/posix/regcomp.c:2081
==12555==    by 0x4EE9320: regcomp /glibc-git/posix/regcomp.c:500
==12555==    by 0x400764: main /tmp/build-glibc-git/bug-regex31.c:23
==12555== 
==12555== 3,680 bytes in 115 blocks are definitely lost in loss record 3 of 3
==12555==    at 0x4C24185: calloc
/tmp/vg/coregrind/m_replacemalloc/vg_replace_malloc.c:506
==12555==    by 0x4EE61D8: parse_expression /glibc-git/posix/regcomp.c:3028
==12555==    by 0x4EE7B80: parse_branch /glibc-git/posix/regcomp.c:2153
==12555==    by 0x4EE7C9D: parse_reg_exp /glibc-git/posix/regcomp.c:2112
==12555==    by 0x4EE80B0: re_compile_internal /glibc-git/posix/regcomp.c:2081
==12555==    by 0x4EE9320: regcomp/glibc-git/posix/regcomp.c:500
==12555==    by 0x400764: main /tmp/build-glibc-git/bug-regex31.c:23

For all 6-character patterns, I see 3 additional leaks.

I'll attach my pattern generator and modified bug-regex31.c shortly.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]