Bug 142060
| Summary: | regexec check_dst_limits() overruns array | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Reiser <jreiser> |
| Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
| Status: | CLOSED UPSTREAM | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-12-07 14:23:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
http://sources.redhat.com/ml/libc-alpha/2004-11/msg00189.html That patch did not make it into glibc-2.3.3-87 just because I forgot, it is now in CVS HEAd and will be in 2.3.3-88. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: $ cd build-i686-linuxnptl/posix; LD_LIBRARY_PATH=.. valgrind --tool=memcheck ./bug-regex11 ==3398== Memcheck, a memory error detector for x86-linux. ==3398== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al. ==3398== Using valgrind-2.2.0, a program supervision framework for x86-linux. ==3398== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al. ==3398== For more details, rerun with: -v ==3398== ==3398== Invalid read of size 4 ==3398== at 0x1B9A9764: check_dst_limits (regexec.c:1901) ==3398== by 0x1B9AEA6C: sift_states_backward (regexec.c:1643) ==3398== by 0x1B9AF460: update_cur_sifted_state (regexec.c:2149) ==3398== by 0x1B9AE83B: sift_states_backward (regexec.c:1556) ==3398== Address 0x1BB5245C is not stack'd, malloc'd or (recently) free'd ==3398== ==3398== Invalid read of size 1 ==3398== at 0x1B9A975B: check_dst_limits (regexec.c:1934) ==3398== by 0x1B9AEA6C: sift_states_backward (regexec.c:1643) ==3398== by 0x1B9AF460: update_cur_sifted_state (regexec.c:2149) ==3398== by 0x1B9AE83B: sift_states_backward (regexec.c:1556) ==3398== Address 0x1BB5246C is 4 bytes before a block of size 1440 alloc'd ==3398== at 0x1B9054FA: realloc (vg_replace_malloc.c:197) ==3398== by 0x1B9AD248: get_subexp_sub (regexec.c:4172) ==3398== by 0x1B9AD568: transit_state_bkref (regexec.c:2704) ==3398== by 0x1B9AE48D: merge_state_with_log (regexec.c:2336) Version-Release number of selected component (if applicable): glibc-2.3.3-87 How reproducible: Always Steps to Reproduce: 1. Run the internal testcase posix/bug-regex11 under memcheck (valgrind). 2. 3. Actual Results: Two complaints from memcheck. Expected Results: No complaints from memcheck. Additional info: