Reported to upstream sed via bug-gnu-utils@gnu.org. $ echo ကျွန်ုပ် | sed 's/[^x]x//' *** glibc detected *** sed: free(): invalid next size (fast): 0x0000000000c4d400 *** Same result for $ echo ကျွန်ုပ်x | grep '[^x]x'
valgrind complains: ==10965== Invalid write of size 8 ==10965== at 0x35F8689563: __GI_memset (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86CA636: clean_state_log_if_needed (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86D60C6: re_search_internal (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86D67E4: re_search_stub (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86D7087: re_search (in /usr/lib64/libc-2.16.so) ==10965== by 0x407B3A: match_regex (regexp.c:252) ==10965== by 0x406AFB: execute_program (execute.c:1189) ==10965== by 0x4077BF: process_files (execute.c:1857) ==10965== by 0x402496: main (sed.c:366) ==10965== Address 0x4c47fb8 is 0 bytes after a block of size 104 alloc'd ==10965== at 0x4A08A2E: realloc (vg_replace_malloc.c:662) ==10965== by 0x35F86CA4B2: extend_buffers (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86CA5D2: clean_state_log_if_needed (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86D60C6: re_search_internal (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86D67E4: re_search_stub (in /usr/lib64/libc-2.16.so) ==10965== by 0x35F86D7087: re_search (in /usr/lib64/libc-2.16.so) ==10965== by 0x407B3A: match_regex (regexp.c:252) ==10965== by 0x406AFB: execute_program (execute.c:1189) ==10965== by 0x4077BF: process_files (execute.c:1857) ==10965== by 0x402496: main (sed.c:366) ==10965==
Confirmed fails on master as of 2013-01-30.
I'm reviewing Andreas' patch: http://sourceware.org/ml/libc-alpha/2013-01/msg00967.html
Fixed in 2.18.
*** Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/adult-chat-rooms Marked for reference. Resolved as fixed @bugzilla.