Hi, currently, regcomp() misses a lot of checks for memory allocation failures, and it also does not properly release memory on error paths. This means a malloc error usually causes either a SEGV or a memory leak. The attached patch (regex.diff) adds the return value checks and memory deallocation on failures. I have been debugging this issue by fuzzing re_malloc() and re_realloc(), making them randomly return NULL. The patch with added fuzzing is attached as regex-fuzzed.diff . testcase.c has been used to exercise the modified regcomp(). Memory violations or leaks have been tested using valgrind: valgrind --leak-check=full --show-reachable=yes --trace-children=yes ./testrun.sh ./testcase Regards, -- Jindřich Makovička
Attachment:
regex.diff
Description: Binary data
Attachment:
regex-fuzzed.diff
Description: Binary data
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <regex.h>
int main()
{
int r, i;
regex_t regexp;
for (i = 0;i < 11235; i++) {
memset(®exp, 0, sizeof(regex_t));
fprintf(stderr, "====\n");
r = regcomp(®exp, "^"
"(/([0-9]+)(-([a-z]+))(\\.das|\\.dsadsad)?\\.qewqw)"
"|(/([0-9]+)/([0-9]+)(\\.dsasda|\\.dasd)?\\.qweqw)"
"|(/([0-9]+)/([0-9]+)/([0-9]+)/([0-9]+)(-wer([0-9]+))?(-fdsfds([0-9]+))?(\\.[qweqwe])?(\\.adsas|\\.dsasd)?\\.dasd)"
"|(/fasdkjlds/([a-z]+)/([0-9]+)/([0-9]+)([0-9]+)?/([0-9]+)([0-9]+)?(\\.asds|\\.dsasd)?\\.dasdas)"
"|(/werruwoe/([0-9]+)(/([0-9]+))?\\.rtewui)"
"|(/czxczxcvzx/([a-z]+)/([0-9]+)/([0-9]+)(/([0-9]+))?(\\.ytert|\\.tert)?\\.qwwerqwe)"
"|(/([0-9]+)-qweqw-([a-z]+)(-([0-9]+)(-([0-9]+))?)?(\\.qweqwe|\\.tretr)?\\.fsdfsd)"
"|(/vxvxzcvz/([a-z]+)/([0-9]+)/([0-9]+)/([0-9]+)(\\.czxcv|\\.jhgjh)?\\.czxc)"
"$", REG_EXTENDED);
if (r == 0) {
regfree(®exp);
}
}
return 0;
}
_______________________________________________ Patches mailing list Patches@xxxxxxxxxx http://eglibc.org/cgi-bin/mailman/listinfo/patches