This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s
- From: "jim at meyering dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sat, 16 Dec 2017 19:13:32 +0000
- Subject: [Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22620
Bug ID: 22620
Summary: parse_expression blows stack for a 20k-byte regexp
with only '('s
Product: glibc
Version: 2.28
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: jim at meyering dot net
CC: drepper.fsp at gmail dot com
Target Milestone: ---
glibc's regexp parser used to diagnose this problem with "Unmatched ( or \(",
but that no longer happens. Perhaps related (since COMPILE_STACK_ macros are
what caught the problem before), this change in 2002 removed the code in
question:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=51f38e87b13f233bdf76bd6d3edaabf4fd9eb126
Now, attempting to compile such a regexp causes stack overflow and probable
segfault.
Demonstrate with this:
$ cat regex-compile-lparen-stack-overflow.c
#include <stdlib.h>
#include <string.h>
#include <regex.h>
int
main (int argc, char **argv)
{
size_t n = 40000;
regex_t preg;
char *pat = malloc (n+1);
if (!pat) return 2;
memset (pat, '(', n);
pat[n] = '\0';
int rc = regcomp (&preg, pat, REG_EXTENDED);
return rc == 0;
}
$ gcc -g -O -Wall regex-compile-lparen-stack-overflow.c && ./a.out
segmentation fault (core dumped) ./a.out
--
You are receiving this mail because:
You are on the CC list for the bug.