bin/102299: grep(1) malloc abuse?

Devon H. O'Dell devon.odell at
Wed Sep 13 14:20:28 PDT 2006

The following reply was made to PR bin/102299; it has been noted by GNATS.

From: "Devon H. O'Dell" <devon.odell at>
To: bug-followup at,  matthias.andree at, 
 Thomas Quinot <thomas at FreeBSD.ORG>,
  tjr at
Subject: Re: bin/102299: grep(1) malloc abuse?
Date: Wed, 13 Sep 2006 17:12:26 -0400

 This is a multi-part message in MIME format.
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 Turns out the problem is in libgnuregex. The attached patch solves the 
 problem. I followed the instructions from FREEBSD-upgrade, removing the 
 release tag, and the current vendor branch does not fix this issue.
 Attached is a patch that fixes the issue for me and doesn't seem to 
 cause any regressions whatsoever.
 Patch also available at
 I'm not sure whether submitting this patch to the vendor is terribly 
 useful, since this is part of glibc in Linux and their malloc doesn't 
 have this behavior.
 Kind regards,
 Devon H. O'Dell
 Content-Type: text/plain;
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
 --- gnu/lib/libregex/regex_internal.c.old	Wed Sep 13 16:23:37 2006
 +++ gnu/lib/libregex/regex_internal.c	Wed Sep 13 16:22:55 2006
 @@ -1501,9 +1501,17 @@
    int i;
    newstate->hash = hash;
 -  err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem);
 -  if (BE (err != REG_NOERROR, 0))
 -    return REG_ESPACE;
 +  /*
 +   * Allocating with a length of 0 has undefined behavior, and we recover from
 +   * this error later on in the function. So don't do it.
 +   */
 +  if (newstate->nodes.nelem != 0) {
 +    err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem);
 +    if (BE (err != REG_NOERROR, 0))
 +      return REG_ESPACE;
 +  }
    for (i = 0; i < newstate->nodes.nelem; i++)
        int elem = newstate->nodes.elems[i];

More information about the freebsd-bugs mailing list