/* gnulib regex crash reproducer Copyright (C) 2018 Assaf Gordon License: GPLv3-or-later */ #define _GNU_SOURCE #include #include #include #include #include int main(void) { const char *input = "1AAAAAA"; static struct re_pattern_buffer regex; #if 1 /* Crash 1: with gnulib: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed. with glibc: Invalid read of size 1 at 0x4F07573: re_compile_pattern (regcomp.c:227) by 0x1088CF: main (1.c:35) Address 0x38 is not stack'd, malloc'd or (recently) free'd */ const char *pat = "(\\'|^)(\\1|)"; int no_sub = 1; #else /* crash 2: too-deep recursion in check_dst_limits_calc_pos_1 (regexec.c:1906) */ const char *pat = "(\227|)(\\1\\1|t1|\\\2537)+"; int no_sub = 0; #endif memset (®ex, 0, sizeof regex); struct re_pattern_buffer *preg = (no_sub)?NULL:®ex; regex.no_sub = no_sub; re_set_syntax(RE_SYNTAX_EGREP); const char *s = re_compile_pattern (pat, strlen(pat), preg); if (s) errx(1,"re_compile_pattern failed: %s\n", s); re_search(®ex, input, strlen(input), 0, /* start */ strlen(input), /* range */ NULL /* registers */ ); return 0; }