Date: Wed, 13 Sep 2006 21:20:27 GMT From: "Devon H. O'Dell" <devon.odell@coyotepoint.com> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/102299: grep(1) malloc abuse? Message-ID: <200609132120.k8DLKRDn034641@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/102299; it has been noted by GNATS. From: "Devon H. O'Dell" <devon.odell@coyotepoint.com> To: bug-followup@FreeBSD.org, matthias.andree@gmx.de, Thomas Quinot <thomas@FreeBSD.ORG>, tjr@FreeBSD.org Cc: Subject: Re: bin/102299: grep(1) malloc abuse? Date: Wed, 13 Sep 2006 17:12:26 -0400 This is a multi-part message in MIME format. --------------050600010302050802000303 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Turns out the problem is in libgnuregex. The attached patch solves the problem. I followed the instructions from FREEBSD-upgrade, removing the release tag, and the current vendor branch does not fix this issue. Attached is a patch that fixes the issue for me and doesn't seem to cause any regressions whatsoever. Patch also available at http://databits.net/~dho/regex_internal.patch I'm not sure whether submitting this patch to the vendor is terribly useful, since this is part of glibc in Linux and their malloc doesn't have this behavior. Kind regards, Devon H. O'Dell --------------050600010302050802000303 Content-Type: text/plain; name="regex_internal.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="regex_internal.patch" --- gnu/lib/libregex/regex_internal.c.old Wed Sep 13 16:23:37 2006 +++ gnu/lib/libregex/regex_internal.c Wed Sep 13 16:22:55 2006 @@ -1501,9 +1501,17 @@ int i; newstate->hash = hash; - err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem); - if (BE (err != REG_NOERROR, 0)) - return REG_ESPACE; + + /* + * Allocating with a length of 0 has undefined behavior, and we recover from + * this error later on in the function. So don't do it. + */ + if (newstate->nodes.nelem != 0) { + err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem); + if (BE (err != REG_NOERROR, 0)) + return REG_ESPACE; + } + for (i = 0; i < newstate->nodes.nelem; i++) { int elem = newstate->nodes.elems[i]; --------------050600010302050802000303--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609132120.k8DLKRDn034641>