[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

two more crashes in regex module

From: Assaf Gordon
Subject: two more crashes in regex module
Date: Wed, 12 Sep 2018 00:05:48 -0600
User-agent: Mutt/1.5.23 (2014-03-12)


Prompted by the recent bug reports, I decided to do some
targeted fuzzing on gnulib's regex module using afl.

So far I found two (obscure) bugs.

Can be easily reproduced with:

   $ echo 1 |  grep -E "(\'|^)(\1|)"
   grep: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed.

   $ echo A | grep -E "$(printf '(\227|)(\\1\\1|t1|\\\2537)+')"
   Segmentation fault  ## stack overflow due to infinite recursion

Attached are valgrind/gdb details of each crash,
and also a C reproducer (if it's easier to debug with a tiny
C program instead of grep).

(As usual, I don't have a fix yet...)

  - assaf

Attachment: crash1.valgrind.log
Description: Text document

Attachment: crash2.valgrind.log
Description: Text document

Attachment: 1.c
Description: Text Data

Attachment: crash2.gdb.log.gz
Description: application/gzip

reply via email to

[Prev in Thread] Current Thread [Next in Thread]