This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
More regex bugs
- From: Daniel Jacobowitz <drow at mvista dot com>
- To: libc-alpha at sources dot redhat dot com
- Date: Fri, 8 Nov 2002 21:34:22 -0500
- Subject: More regex bugs
Consider this program:
#include <sys/types.h>
#include <regex.h>
int main()
{
regex_t reg;
regmatch_t pm[1];
regcomp (®, "man", REG_ICASE);
return regexec (®, "pipenightdreams", 1, pm, 0);
}
This triggers two warnings from valgrind. One's easy, one's harder.
The first one is line 663 in regexec.c:
662 /* Eliminate inappropriate one by fastmap. */
663 if (preg->can_be_null || fastmap == NULL || fastmap[ch])
664 {
preg->can_be_null is not initialized to 0 (or at all).
The second is:
==13497== Invalid read of size 1
==13497== at 0x402FDD6C: re_string_context_at (../include/ctype.h:28)
==13497== by 0x402FDB30: re_string_reconstruct (regex_internal.c:442)
==13497== by 0x402F8A84: re_search_internal (regexec.c:672)
==13497== by 0x402F8250: __regexec (regexec.c:209)
#0 re_string_context_at (input=0xbffff4f0, idx=12, eflags=0, newline_anchor=0) at regex_internal.c:530
#1 0x400c7b30 in re_string_reconstruct (pstr=0xbffff4f0, idx=13, eflags=0, newline=0)
at regex_internal.c:439
#2 0x400c2a84 in re_search_internal (preg=0xbffff5c8, string=0x80484c8 "pipenightdreams", length=15,
start=0, range=77, stop=-1073744656, nmatch=1, pmatch=0xbffff5c0, eflags=0) at regexec.c:667
#3 0x400c2250 in __regexec (preg=0xbffff5c8, string=0xc <Address 0xc out of bounds>, nmatch=1,
pmatch=0xbffff5c0, eflags=0) at regexec.c:209
#4 0x08048459 in main () at reg.c:10
We call re_string_byte_at using an idx of 12. The mbs[] buffer is only five
bytes long. Of that I think that only the first byte is initialized, or
none of it is initialized... yes, it is completely uninitialized.
build_upper_buffer doesn't get called until further down
re_string_reconstruct.
(gdb) p *input
$6 = {raw_mbs = 0x80484c8 "pipenightdreams", mbs = 0x80497d8 "p\232\004\b",
mbs_case = 0x80484c8 "pipenightdreams", wcs = 0x0, cur_state = {__count = 0, __value = {__wch = 0,
__wchb = "\0\0\0"}}, raw_mbs_idx = 0, valid_len = 0, bufs_len = 5, cur_idx = 0, len = 15,
stop = 15, tip_context = 6, trans = 0x0, icase = 1}
I don't think it's safe to call re_string_context_at yet. But I've given up
trying to figure out what is going on here... calling re_string_context_at
when valid_len is 0 is definitely a losing proposition. Someone else will
have to figure out what to do in this one.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer