[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: two (and a half) more crashes in regex module

From: Tim Rühsen
Subject: Re: two (and a half) more crashes in regex module
Date: Wed, 12 Sep 2018 09:23:54 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0

On 9/12/18 8:02 AM, Assaf Gordon wrote:
> Hello,
> Prompted by the recent bug reports, I decided to do some
> targeted fuzzing on gnulib's regex module using afl.
> So far I found two obscure bugs, and one pathological case.
> Can be easily reproduced with:
>    $ echo 1 |  grep -E "(\'|^)(\1|)"
>    grep: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed.
>    Aborted
>    $ echo A | grep -E "$(printf '(\227|)(\\1\\1|t1|\\\2537)+')"
>    Segmentation fault  ## stack overflow due to infinite recursion
> And the following pathological case can easily consume hundreds of MB of
> RAM (more "+" - more RAM):
>    $ echo 1 | time grep -E '(.)++++++++++++++++++++++|'

I stumbled upon the memory consumption (and slowness) a while ago, but
it seems to be a well-known issue regarding

So, never accept regex patterns from untrusted sources.

Regards, Tim

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]