Hi, currently, regcomp() misses a lot of checks for memory allocation failures, and it also does not properly release memory on error paths. This means a malloc error usually causes either a SEGV or a memory leak. The attached patch (regex.diff) adds the return value checks and memory deallocation on failures. I have been debugging this issue by fuzzing re_malloc() and re_realloc(), making them randomly return NULL. The patch with added fuzzing is attached as regex-fuzzed.diff . testcase.c has been used to exercise the modified regcomp(). Memory violations or leaks have been tested using valgrind: valgrind --leak-check=full --show-reachable=yes --trace-children=yes ./testrun.sh ./testcase Regards, -- Jindřich Makovička
Attachment:
regex.diff
Description: Binary data
Attachment:
regex-fuzzed.diff
Description: Binary data
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <regex.h> int main() { int r, i; regex_t regexp; for (i = 0;i < 11235; i++) { memset(®exp, 0, sizeof(regex_t)); fprintf(stderr, "====\n"); r = regcomp(®exp, "^" "(/([0-9]+)(-([a-z]+))(\\.das|\\.dsadsad)?\\.qewqw)" "|(/([0-9]+)/([0-9]+)(\\.dsasda|\\.dasd)?\\.qweqw)" "|(/([0-9]+)/([0-9]+)/([0-9]+)/([0-9]+)(-wer([0-9]+))?(-fdsfds([0-9]+))?(\\.[qweqwe])?(\\.adsas|\\.dsasd)?\\.dasd)" "|(/fasdkjlds/([a-z]+)/([0-9]+)/([0-9]+)([0-9]+)?/([0-9]+)([0-9]+)?(\\.asds|\\.dsasd)?\\.dasdas)" "|(/werruwoe/([0-9]+)(/([0-9]+))?\\.rtewui)" "|(/czxczxcvzx/([a-z]+)/([0-9]+)/([0-9]+)(/([0-9]+))?(\\.ytert|\\.tert)?\\.qwwerqwe)" "|(/([0-9]+)-qweqw-([a-z]+)(-([0-9]+)(-([0-9]+))?)?(\\.qweqwe|\\.tretr)?\\.fsdfsd)" "|(/vxvxzcvz/([a-z]+)/([0-9]+)/([0-9]+)/([0-9]+)(\\.czxcv|\\.jhgjh)?\\.czxc)" "$", REG_EXTENDED); if (r == 0) { regfree(®exp); } } return 0; }
_______________________________________________ Patches mailing list Patches@xxxxxxxxxx http://eglibc.org/cgi-bin/mailman/listinfo/patches