This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

More regex bugs

From: Daniel Jacobowitz <drow at mvista dot com>
To: libc-alpha at sources dot redhat dot com
Date: Fri, 8 Nov 2002 21:34:22 -0500
Subject: More regex bugs

Consider this program:

#include <sys/types.h>
#include <regex.h>

int main()
{
  regex_t reg;
  regmatch_t pm[1];
  regcomp (&reg, "man", REG_ICASE);
  return regexec (&reg, "pipenightdreams", 1, pm, 0);
}

This triggers two warnings from valgrind.  One's easy, one's harder.

The first one is line 663 in regexec.c:
662           /* Eliminate inappropriate one by fastmap.  */
663           if (preg->can_be_null || fastmap == NULL || fastmap[ch])
664             {

preg->can_be_null is not initialized to 0 (or at all).

The second is:
==13497== Invalid read of size 1
==13497==    at 0x402FDD6C: re_string_context_at (../include/ctype.h:28)
==13497==    by 0x402FDB30: re_string_reconstruct (regex_internal.c:442)
==13497==    by 0x402F8A84: re_search_internal (regexec.c:672)
==13497==    by 0x402F8250: __regexec (regexec.c:209)

#0  re_string_context_at (input=0xbffff4f0, idx=12, eflags=0, newline_anchor=0) at regex_internal.c:530
#1  0x400c7b30 in re_string_reconstruct (pstr=0xbffff4f0, idx=13, eflags=0, newline=0)
    at regex_internal.c:439
#2  0x400c2a84 in re_search_internal (preg=0xbffff5c8, string=0x80484c8 "pipenightdreams", length=15,
    start=0, range=77, stop=-1073744656, nmatch=1, pmatch=0xbffff5c0, eflags=0) at regexec.c:667
#3  0x400c2250 in __regexec (preg=0xbffff5c8, string=0xc <Address 0xc out of bounds>, nmatch=1,
    pmatch=0xbffff5c0, eflags=0) at regexec.c:209
#4  0x08048459 in main () at reg.c:10

We call re_string_byte_at using an idx of 12.  The mbs[] buffer is only five
bytes long.  Of that I think that only the first byte is initialized, or
none of it is initialized... yes, it is completely uninitialized. 
build_upper_buffer doesn't get called until further down
re_string_reconstruct.

(gdb) p *input
$6 = {raw_mbs = 0x80484c8 "pipenightdreams", mbs = 0x80497d8 "p\232\004\b", 
  mbs_case = 0x80484c8 "pipenightdreams", wcs = 0x0, cur_state = {__count = 0, __value = {__wch = 0, 
      __wchb = "\0\0\0"}}, raw_mbs_idx = 0, valid_len = 0, bufs_len = 5, cur_idx = 0, len = 15, 
  stop = 15, tip_context = 6, trans = 0x0, icase = 1}

I don't think it's safe to call re_string_context_at yet.  But I've given up
trying to figure out what is going on here... calling re_string_context_at
when valid_len is 0 is definitely a losing proposition.  Someone else will
have to figure out what to do in this one.

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer

Follow-Ups:
- Re: More regex bugs
  - From: Daniel Jacobowitz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]