X-Loop: help-debbugs@HIDDEN
Subject: bug#32805: Stack overflow when processing "0?{77}{770}" extended regexp
Resent-From: Anatoly Trosinenko <anatoly.trosinenko@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-grep@HIDDEN
Resent-Date: Sat, 22 Sep 2018 15:21:02 +0000
Resent-Message-ID: <handler.32805.B.153762961818326 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 32805
X-GNU-PR-Package: grep
X-GNU-PR-Keywords:
To: 32805 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-grep@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.153762961818326
(code B ref -1); Sat, 22 Sep 2018 15:21:02 +0000
Received: (at submit) by debbugs.gnu.org; 22 Sep 2018 15:20:18 +0000
Received: from localhost ([127.0.0.1]:49759 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1g3jhi-0004lP-2h
for submit <at> debbugs.gnu.org; Sat, 22 Sep 2018 11:20:18 -0400
Received: from eggs.gnu.org ([208.118.235.92]:60979)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <anatoly.trosinenko@HIDDEN>) id 1g3jJu-00045u-2l
for submit <at> debbugs.gnu.org; Sat, 22 Sep 2018 10:55:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <anatoly.trosinenko@HIDDEN>) id 1g3jJn-00055p-HN
for submit <at> debbugs.gnu.org; Sat, 22 Sep 2018 10:55:36 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:35810)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <anatoly.trosinenko@HIDDEN>)
id 1g3jJm-0004yg-VD
for submit <at> debbugs.gnu.org; Sat, 22 Sep 2018 10:55:35 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53713)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <anatoly.trosinenko@HIDDEN>) id 1g3jJl-0004CI-VU
for bug-grep@HIDDEN; Sat, 22 Sep 2018 10:55:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <anatoly.trosinenko@HIDDEN>) id 1g3jJk-0004il-Om
for bug-grep@HIDDEN; Sat, 22 Sep 2018 10:55:33 -0400
Received: from mail-ot1-x32f.google.com ([2607:f8b0:4864:20::32f]:35233)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
(Exim 4.71) (envelope-from <anatoly.trosinenko@HIDDEN>)
id 1g3jJk-0004fM-IL
for bug-grep@HIDDEN; Sat, 22 Sep 2018 10:55:32 -0400
Received: by mail-ot1-x32f.google.com with SMTP id j9-v6so15884568otl.2
for <bug-grep@HIDDEN>; Sat, 22 Sep 2018 07:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=khu2SJJMpKEcKZv8ITi9oE76oYPO+++t47tqNdtTST0=;
b=osvP6ASMJT9TsNkXIel87uMn1ukVQf5C5vTacEoWgftMOzgFIvPWfQ05wpGVNpgFj4
5CzYIspgBNppTgvqCR1/QxLogxU+k3rt8pygYHLuiLsNl4Vk6LJ3Q3mcjdl0jfIco7N+
vKJvYQaAyPmKaT5wtbVOiLBlhLwGWd2zTQn0/CivdoebqmfQTFRgqNh1mWIGp/GMrEnq
jz5FnSy4RWG+XnEQMarfZ/FHCs1GJA7k0G+5F2p7Lw6R/GE8mbyWNcIq+oliFWpx8xP0
+7RT2hYfTPLHO0MECpaAmvLo/oZHnGGPSF1Eqz7hsij3Zt6oOkOmctRGBm4wg6hoeR35
KQGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=khu2SJJMpKEcKZv8ITi9oE76oYPO+++t47tqNdtTST0=;
b=s4r7hwQBXR1MFZQ5GqYB+ABoYYMIvAB5SgpXFupYPN1walJjce2aLsxIm1WbMz3y+A
RXLfdlTo6MU/l7MhynxdJCD9qMLnyBbGtqj9xJOMComPTNeU9gxW1AZKRjh+TU/sHIA3
u55uiCIAhgt7d9DXqGO1OBIOyTX4EoIa/gK3rFqVKFFKl9OwcIHunFIl9x0mY1MLQdjk
tNVMrDcABDHOl4h+0BqmPbLx5byt4lQgIvO0UjNasOqUc0KcjNMXb3dHkcWPNgZx8RZk
7GZGAPpS2Gll4nDeNGCwgoZYIqs5Xf1FVi3IoNMkEcA8uCRA8798RF9BaixqPLQwbeZI
bL/Q==
X-Gm-Message-State: ABuFfohSo2A/qMdeNT3lP3nSZfwkE0/+RZaTwSuHXEIngVlFwPetVZkq
zymjyzVZaO8gwjEKMX8B+2WD17vMYkXMh5cEMOmC9jTk
X-Google-Smtp-Source: ACcGV61XgsAwQlT/gb0VT1boPL3WbH13NItK/of2Jx7RwVUN4fb2jLuO92ILfXy7R1/DXP2Qr0GNuAkjBJjJXLchCpo=
X-Received: by 2002:a9d:5e99:: with SMTP id
f25-v6mr1763495otl.74.1537628131487;
Sat, 22 Sep 2018 07:55:31 -0700 (PDT)
MIME-Version: 1.0
From: Anatoly Trosinenko <anatoly.trosinenko@HIDDEN>
Date: Sat, 22 Sep 2018 17:55:20 +0300
Message-ID: <CAE5jQCfj98tBHegQ5WKpo1wKZ2Mcm8__Fu=AXukCc8sQE6N6Lw@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Mailman-Approved-At: Sat, 22 Sep 2018 11:20:14 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)
Hello,
When fuzzing GNU grep, I have found a stack overflow on processing a
simple extended regexp. It is reproduced with the latest commit from
master branch 51dacfb (Sep 19).
$ export LC_ALL=C
$ gdb -q --args ./grep -E "0?{77}{770}"
Reading symbols from ./grep...(no debugging symbols found)...done.
(gdb) r
Starting program: /path/to/grep -E 0\?\{77\}\{770\}
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff760230e in _int_malloc (av=av@entry=0x7ffff7959c40
<main_arena>, bytes=bytes@entry=4) at malloc.c:3557
3557 malloc.c: No such file or directory.
(gdb) bt
#0 0x00007ffff760230e in _int_malloc (av=av@entry=0x7ffff7959c40
<main_arena>, bytes=bytes@entry=4) at malloc.c:3557
#1 0x00007ffff76050fc in __GI___libc_malloc (bytes=4) at malloc.c:3057
#2 0x00007ffff766177b in re_node_set_alloc (size=<optimized out>,
set=0x7fffff7ff0d0) at regex_internal.c:963
#3 calc_eclosure_iter (new_set=new_set@entry=0x7fffff7ff170,
dfa=dfa@entry=0x555555788e70, node=116418, root=root@entry=0) at
regcomp.c:1682
#4 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff200, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#5 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff290, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#6 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff320, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#7 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff3b0, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#8 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff440, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#9 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff4d0, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#10 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff560, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#11 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff5f0, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#12 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff680, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#13 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff710, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
#14 0x00007ffff7661af7 in calc_eclosure_iter
(new_set=new_set@entry=0x7fffff7ff7a0, dfa=dfa@entry=0x555555788e70,
node=<optimized out>, root=root@entry=0) at regcomp.c:1719
... and so on
Best regards
Anatoly
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Anatoly Trosinenko <anatoly.trosinenko@HIDDEN>
Subject: bug#32805: Acknowledgement (Stack overflow when processing
"0?{77}{770}" extended regexp)
Message-ID: <handler.32805.B.153762961818326.ack <at> debbugs.gnu.org>
References: <CAE5jQCfj98tBHegQ5WKpo1wKZ2Mcm8__Fu=AXukCc8sQE6N6Lw@HIDDEN>
X-Gnu-PR-Message: ack 32805
X-Gnu-PR-Package: grep
Reply-To: 32805 <at> debbugs.gnu.org
Date: Sat, 22 Sep 2018 15:21:03 +0000
Thank you for filing a new bug report with debbugs.gnu.org.
This is an automatically generated reply to let you know your message
has been received.
Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.
Your message has been sent to the package maintainer(s):
bug-grep@HIDDEN
If you wish to submit further information on this problem, please
send it to 32805 <at> debbugs.gnu.org.
Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.
--=20
32805: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D32805
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.