[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Crash bug in Grep's DFA freeing
|
From: |
Aaron Lehmann |
|
Subject: |
[PATCH] Crash bug in Grep's DFA freeing |
|
Date: |
Thu, 29 Mar 2001 20:33:57 -0800 |
|
User-agent: |
Mutt/1.3.15i |
I needed a DFA engine for the application I'm writing. I ended up
taking dfa.[ch] from the GNU Grep distribution. In the process, I
found a regular expression that, unless I am doing something very
wrong, will cause a segmentation fault when trying to free it:
^http://([^.]+\.)?suck\.(lycos\.)?com/sponsors/.*\.html$
Excecuting this test case (linked to dfa.c from the GNU Grep 2.4.2
distribution) results in an immediate segfault in free() for me:
#include <stdio.h>
#include <regex.h>
#include "dfa.h"
int main (void)
{
struct dfa rx;
char *r =
"^http://([^.]+\\.)?suck\\.(lycos\\.)?com/sponsors/.*\\.html$";
dfasyntax ((RE_CHAR_CLASSES | RE_CONTEXT_INDEP_ANCHORS |
RE_CONTEXT_INDEP_OPS | RE_HAT_LISTS_NOT_NEWLINE
|
RE_NEWLINE_ALT | RE_NO_BK_PARENS |
RE_NO_BK_VBAR), 0, '\n');
dfacomp(r, strlen(r), &rx, 1);
dfafree(&rx);
}
void dfaerror (const char *mesg)
{
fprintf (stderr, "Regexp error: %s\n", mesg); fflush (stderr);
}
The following patch seems to fix this bug.
--- dfa.c Thu Mar 29 20:28:41 2001
+++ dfa.c~ Thu Mar 29 20:27:04 2001
@@ -1978,6 +1978,10 @@
d->tralloc = 0;
d->musts = 0;
+ d->realtrans = 0;
+ d->fails = 0;
+ d->newlines = 0;
+ d->success = 0;
}
/* Parse and analyze a single string of the given length. */
pgpmYHnv_9Xc4.pgp
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH] Crash bug in Grep's DFA freeing,
Aaron Lehmann <=