bug#42946: grep: invalid read in pop_fail

bug-grep

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#42946: grep: invalid read in pop_fail_stack

From:	Luca Borzacchiello
Subject:	bug#42946: grep: invalid read in pop_fail_stack
Date:	Thu, 20 Aug 2020 11:02:33 +0200

Dear maintainer,
running grep 3.4 with the attached inputs, cause an invalid read in
pop_fail_stack.
the bug is confirmed for grep 3.3.75-afc5 (git version).

I used the following command line:
grep -f ./crashing_inp ./la_divin.txt

this is the output of valgrind:
==7468== Memcheck, a memory error detector
==7468== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==7468== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==7468== Command: ./src/build/bin/grep -f ./crashing_inp ./la_divin.txt
==7468==
==7468== Invalid read of size 8
==7468==    at 0x128629: pop_fail_stack.isra.0 (regexec.c:1350)
==7468==    by 0x12A61C: set_regs (regexec.c:1451)
==7468==    by 0x12C411: re_search_internal (regexec.c:849)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Address 0x4b33460 is 16 bytes after a block of size 192 free'd
==7468==    at 0x483CA3F: free (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==7468==    by 0x12B86C: sift_states_backward (regexec.c:1606)
==7468==    by 0x12CCFD: prune_impossible_nodes (regexec.c:943)
==7468==    by 0x12CCFD: re_search_internal (regexec.c:813)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Block was alloc'd at
==7468==    at 0x483DFAF: realloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==7468==    by 0x125ACC: re_node_set_add_intersect (regex_internal.c:1064)
==7468==    by 0x12D223: add_epsilon_src_nodes (regexec.c:1792)
==7468==    by 0x12D223: update_cur_sifted_state (regexec.c:1739)
==7468==    by 0x12B630: sift_states_backward (regexec.c:1570)
==7468==    by 0x12CCFD: prune_impossible_nodes (regexec.c:943)
==7468==    by 0x12CCFD: re_search_internal (regexec.c:813)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==
==7468== Invalid read of size 8
==7468==    at 0x12862F: memcpy (string_fortified.h:34)
==7468==    by 0x12862F: pop_fail_stack.isra.0 (regexec.c:1351)
==7468==    by 0x12A61C: set_regs (regexec.c:1451)
==7468==    by 0x12C411: re_search_internal (regexec.c:849)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Address 0x4b33470 is 32 bytes before a block of size 96 in arena
"client"
==7468==
==7468== Invalid read of size 8
==7468==    at 0x4842A7C: memmove (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==7468==    by 0x12863A: memcpy (string_fortified.h:34)
==7468==    by 0x12863A: pop_fail_stack.isra.0 (regexec.c:1351)
==7468==    by 0x12A61C: set_regs (regexec.c:1451)
==7468==    by 0x12C411: re_search_internal (regexec.c:849)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Address 0xa0 is not stack'd, malloc'd or (recently) free'd
==7468==
grep: stack overflow
==7468==
==7468== HEAP SUMMARY:
==7468==     in use at exit: 57,775 bytes in 369 blocks
==7468==   total heap usage: 1,337 allocs, 968 frees, 169,874 bytes
allocated
==7468==
==7468== LEAK SUMMARY:
==7468==    definitely lost: 232 bytes in 1 blocks
==7468==    indirectly lost: 736 bytes in 14 blocks
==7468==      possibly lost: 128 bytes in 1 blocks
==7468==    still reachable: 56,679 bytes in 353 blocks
==7468==         suppressed: 0 bytes in 0 blocks
==7468== Rerun with --leak-check=full to see details of leaked memory
==7468==
==7468== For lists of detected and suppressed errors, rerun with: -s
==7468== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

--
Regards,
Luca Borzacchiello

la_divin.txt
Description: Text document

crashing_inp
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

bug#42946: grep: invalid read in pop_fail_stack, Luca Borzacchiello <=

Prev by Date: bug#42762: GREP does not support Unicode
Next by Date: bug#28105: Inconsistent exit code with --files-without-match
Previous by thread: bug#42762: GREP does not support Unicode
Next by thread: bug#43040: grep 3.4: memory leak
Index(es):
- Date
- Thread