bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

two (and a half) more crashes in regex module

From: Assaf Gordon
Subject: two (and a half) more crashes in regex module
Date: Wed, 12 Sep 2018 00:02:48 -0600
User-agent: Mutt/1.5.23 (2014-03-12) 
Hello,

Prompted by the recent bug reports, I decided to do some
targeted fuzzing on gnulib's regex module using afl.

So far I found two obscure bugs, and one pathological case.

Can be easily reproduced with:

   $ echo 1 |  grep -E "(\'|^)(\1|)"
   grep: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed.
   Aborted

   $ echo A | grep -E "$(printf '(\227|)(\\1\\1|t1|\\\2537)+')"
   Segmentation fault  ## stack overflow due to infinite recursion
And the following pathological case can easily consume hundreds of MB of RAM (more "+" - more RAM): 

   $ echo 1 | time grep -E '(.)++++++++++++++++++++++|'


Attached are valgrind/gdb details of each crash,
and also a C reproducer (if it's easier to debug with a tiny
C program instead of grep).

(As usual, I don't have a fix yet...)



regards,
  - assaf

Attachment: crash1.valgrind.log
Description: Text document

Attachment: crash2.valgrind.log
Description: Text document

Attachment: 1.c
Description: Text Data

Attachment: crash2.gdb.log.gz
Description: application/gzip

reply via email to
[Prev in Thread] Current Thread [Next in Thread]