[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Patches] [PATCH] handle malloc() and realloc() failures in regcomp()



Hi,

currently, regcomp() misses a lot of checks for memory allocation
failures, and it also does not properly release memory on error paths.
This means a malloc error usually causes either a SEGV or a memory
leak.

The attached patch (regex.diff) adds the return value checks and
memory deallocation on failures.

I have been debugging this issue by fuzzing re_malloc() and
re_realloc(), making them randomly return NULL. The patch with added
fuzzing is attached as regex-fuzzed.diff . testcase.c has been used to
exercise the modified regcomp().
Memory violations or leaks have been tested using valgrind: valgrind
--leak-check=full --show-reachable=yes --trace-children=yes
./testrun.sh ./testcase

Regards,
-- 
Jindřich Makovička

Attachment: regex.diff
Description: Binary data

Attachment: regex-fuzzed.diff
Description: Binary data

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <regex.h>

int main()
{
    int r, i;
    regex_t regexp;

    for (i = 0;i < 11235; i++) {
        memset(&regexp, 0, sizeof(regex_t));
        fprintf(stderr, "====\n");
        r = regcomp(&regexp, "^"
                    "(/([0-9]+)(-([a-z]+))(\\.das|\\.dsadsad)?\\.qewqw)"
                    "|(/([0-9]+)/([0-9]+)(\\.dsasda|\\.dasd)?\\.qweqw)"
                    "|(/([0-9]+)/([0-9]+)/([0-9]+)/([0-9]+)(-wer([0-9]+))?(-fdsfds([0-9]+))?(\\.[qweqwe])?(\\.adsas|\\.dsasd)?\\.dasd)"
                    "|(/fasdkjlds/([a-z]+)/([0-9]+)/([0-9]+)([0-9]+)?/([0-9]+)([0-9]+)?(\\.asds|\\.dsasd)?\\.dasdas)"
                    "|(/werruwoe/([0-9]+)(/([0-9]+))?\\.rtewui)"
                    "|(/czxczxcvzx/([a-z]+)/([0-9]+)/([0-9]+)(/([0-9]+))?(\\.ytert|\\.tert)?\\.qwwerqwe)"
                    "|(/([0-9]+)-qweqw-([a-z]+)(-([0-9]+)(-([0-9]+))?)?(\\.qweqwe|\\.tretr)?\\.fsdfsd)"
                    "|(/vxvxzcvz/([a-z]+)/([0-9]+)/([0-9]+)/([0-9]+)(\\.czxcv|\\.jhgjh)?\\.czxc)"
                    "$", REG_EXTENDED);
        if (r == 0) {
            regfree(&regexp);
        }
    }

    return 0;
}
_______________________________________________
Patches mailing list
Patches@xxxxxxxxxx
http://eglibc.org/cgi-bin/mailman/listinfo/patches