bin/102299: grep(1) malloc abuse?

Devon H. O'Dell devon.odell at coyotepoint.com
Wed Sep 13 14:20:28 PDT 2006 

The following reply was made to PR bin/102299; it has been noted by GNATS.

From: "Devon H. O'Dell" <devon.odell at coyotepoint.com>
To: bug-followup at FreeBSD.org,  matthias.andree at gmx.de, 
 Thomas Quinot <thomas at FreeBSD.ORG>,
  tjr at FreeBSD.org
Cc:  
Subject: Re: bin/102299: grep(1) malloc abuse?
Date: Wed, 13 Sep 2006 17:12:26 -0400

 This is a multi-part message in MIME format.
 --------------050600010302050802000303
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Turns out the problem is in libgnuregex. The attached patch solves the 
 problem. I followed the instructions from FREEBSD-upgrade, removing the 
 release tag, and the current vendor branch does not fix this issue.
 
 Attached is a patch that fixes the issue for me and doesn't seem to 
 cause any regressions whatsoever.
 
 Patch also available at http://databits.net/~dho/regex_internal.patch
 
 I'm not sure whether submitting this patch to the vendor is terribly 
 useful, since this is part of glibc in Linux and their malloc doesn't 
 have this behavior.
 
 Kind regards,
 
 Devon H. O'Dell
 
 --------------050600010302050802000303
 Content-Type: text/plain;
  name="regex_internal.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="regex_internal.patch"
 
 --- gnu/lib/libregex/regex_internal.c.old	Wed Sep 13 16:23:37 2006
 +++ gnu/lib/libregex/regex_internal.c	Wed Sep 13 16:22:55 2006
 @@ -1501,9 +1501,17 @@
    int i;
  
    newstate->hash = hash;
 -  err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem);
 -  if (BE (err != REG_NOERROR, 0))
 -    return REG_ESPACE;
 +
 +  /*
 +   * Allocating with a length of 0 has undefined behavior, and we recover from
 +   * this error later on in the function. So don't do it.
 +   */
 +  if (newstate->nodes.nelem != 0) {
 +    err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem);
 +    if (BE (err != REG_NOERROR, 0))
 +      return REG_ESPACE;
 +  }
 +
    for (i = 0; i < newstate->nodes.nelem; i++)
      {
        int elem = newstate->nodes.elems[i];
 
 --------------050600010302050802000303--

More information about the freebsd-bugs mailing list