/* gnulib regex crash reproducer
Copyright (C) 2018 Assaf Gordon
License: GPLv3-or-later */
#define _GNU_SOURCE
#include
#include
#include
#include
#include
int main(void)
{
const char *input = "1AAAAAA";
static struct re_pattern_buffer regex;
#if 1
/* Crash 1:
with gnulib:
regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed.
with glibc:
Invalid read of size 1
at 0x4F07573: re_compile_pattern (regcomp.c:227)
by 0x1088CF: main (1.c:35)
Address 0x38 is not stack'd, malloc'd or (recently) free'd
*/
const char *pat = "(\\'|^)(\\1|)";
int no_sub = 1;
#else
/* crash 2:
too-deep recursion in check_dst_limits_calc_pos_1 (regexec.c:1906) */
const char *pat = "(\227|)(\\1\\1|t1|\\\2537)+";
int no_sub = 0;
#endif
memset (®ex, 0, sizeof regex);
struct re_pattern_buffer *preg = (no_sub)?NULL:®ex;
regex.no_sub = no_sub;
re_set_syntax(RE_SYNTAX_EGREP);
const char *s = re_compile_pattern (pat, strlen(pat), preg);
if (s)
errx(1,"re_compile_pattern failed: %s\n", s);
re_search(®ex, input, strlen(input),
0, /* start */
strlen(input), /* range */
NULL /* registers */
);
return 0;
}