bug-sed
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#32592: heap-use-after-free in regex module (was: s with i modifier s

From: Jim Meyering
Subject: bug#32592: heap-use-after-free in regex module (was: s with i modifier seems to work incorrectly)
Date: Wed, 5 Sep 2018 06:23:21 -0700 
On Wed, Sep 5, 2018 at 12:32 AM Assaf Gordon <address@hidden> wrote:
>
> (adding gnulib)
>
> On 04/09/18 07:02 PM, Saito Takaaki wrote:
> [... discussing a sed bug ...]
> > However, a friend showed me a more complex case which is
> > problematic even with sed 4.4 on ideone.  The last two lines of the
> > output (for the identical input lines) are  particularly interesting.
> > https://ideone.com/Sq5xJX
> >
> > I hope this helps even a bit.
>
> Thank you for persisting with this bug.
>
> The linked snippet you provided exposed a heap-use-after-free bug
> in gnulib's regex module (possibly in glibc as well).
>
> A simple way to reproduce with latest sed:
>
>    cd sed
>    ./bootstrap
>    ./configure --with-included-regex
>    make
>    echo 'abcdefghijklmns!!!!!!!!!!' \
>       | valgrind ./sed/sed -E 'h;G;s/((.).+(.))(.*\n.*\1)/\2-\3\4/i'
>
> Results in a use-after-free relating to the back-references (valgrind
> output below). There's some interplay with the input length - if the
> exclamation marks are removed, the bug is not triggered.
> The bug does not trigger without the case-insensitive flag (s///i).
>
> This is easier to trigger with gnulib (hence --with-included-regex)
> but happens also with glibc's regex module.
>
> This could also mean that the bug you previously reported and I surmised
> was fixed is not fixed at all - could be that it was just much harder to
> trigger with later sed versions.
>
> I'm still learning the code so don't have a fix yet.

Wow, another!?! Thanks for pursuing!
reply via email to
[Prev in Thread] Current Thread [Next in Thread]