| Summary: | buffer overrun in transit_state()/regexec.c | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | John Reiser <jreiser> |
| Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | fweimer |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-04-09 19:21:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2003-136.html |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 Description of problem: Testcase posix/bug-regex4 accesses beyond a malloc()ed block in routine transit_state(). The overrun happens in the second call to re_search_2: ----- match[1] = re_search_2 (®ex, NULL, 0, "abc", 3, 0, 3, NULL, 3); ----- A concise description of the problem is: ----- [regexec.c:2077] (Thread 0) **READ_OVERFLOW** >> ch = re_string_fetch_byte (mctx->input); Reading overflows memory. bbbbbbbbbbbbbbbbb | 5 | 1 | rrrrr Reading (r) : 0x0804c215 thru 0x0804c215 (1 byte) From block (b) : 0x0804c210 thru 0x0804c214 (5 bytes) block allocated at regexec.c, 335 re_search_2_stub() regexec.c, 335 __re_search_2() regexec.c, 308 main() bug-regex4.c, 48 Stack trace where the error occurred: transit_state() regexec.c, 2077 check_matching() regexec.c, 1009 re_search_internal() regexec.c, 744 re_search_stub() regexec.c, 411 re_search_2_stub() regexec.c, 349 __re_search_2() regexec.c, 308 main() bug-regex4.c, 48 ----- The gdb traceback at the point of error is ----- #1 0x40280808 in transit_state (err=0xbfffea60, preg=0xbfffe8d0, mctx=0xbfffe8d0, state=0x804bbd8, fl_search=1075641654) at regexec.c:2077 #2 0x4027e4fa in check_matching (preg=0xbfffea60, mctx=0xbfffe8d0, fl_search=0, fl_longest_match=1) at regexec.c:1009 #3 0x4027dd70 in re_search_internal (preg=0xbfffea60, string=0x804c210 "xyabd", length=5, start=2, range=3, stop=3, nmatch=1, pmatch=0x804c280, eflags=0) at regexec.c:744 #4 0x4027d67b in re_search_stub (bufp=0xbfffea60, string=0x3 <Address 0x3 out of bounds>, length=5, start=2, range=0, stop=3, regs=0x0, ret_len=0) at regexec.c:411 #5 0x4027d51a in re_search_2_stub (bufp=0x3, string1=0x80486a1 "xya", length1=134529664, string2=0x804869e "bd", length2=2, start=3, range=3, regs=0x3, stop=8, ret_len=3) at regexec.c:349 #6 0x4027d421 in __re_search_2 (bufp=0x3, string1=0x3 <Address 0x3 out of bounds>, length1=3, string2=0x3 <Address 0x3 out of bounds>, length2=3, start=3, range=3, regs=0x3, stop=3) at regexec.c:308 #7 0x08048580 in main () at bug-regex4.c:48 #8 0x401d4574 in __libc_start_main (main=0x8048410 <main>, argc=1, ubp_av=0xbfffead4, init=0x80485d0 <__libc_csu_init>, fini=0x804c280, rtld_fini=0x40064020, stack_end=0x804c212) at ../sysdeps/generic/libc-start.c:152 ----- The code at the point of error is: ----- 0x402807f5 <transit_state+101>: testb $0x8,0x1c(%esi) 0x402807f9 <transit_state+105>: jne 0x40280b20 <transit_state+912> 0x402807ff <transit_state+111>: mov 0xc(%edi),%ecx 0x40280802 <transit_state+114>: mov 0x24(%ecx),%eax 0x40280805 <transit_state+117>: mov 0x4(%ecx),%edx 0x40280808 <transit_state+120>: movzbl (%eax,%edx,1),%edx ##### bad access 0x4028080c <transit_state+124>: inc %eax 0x4028080d <transit_state+125>: mov %eax,0x24(%ecx) 0x40280810 <transit_state+128>: mov 0x18(%ebp),%eax 0x40280813 <transit_state+131>: test %eax,%eax 0x40280815 <transit_state+133>: mov %dl,0xffffffd3(%ebp) 0x40280818 <transit_state+136>: je 0x40280b15 <transit_state+901> (gdb) p/x $edx $2 = 0x804c212 (gdb) p/x $eax $3 = 0x3 ----- [glibc-2.3.2-20030313/build-i686-linuxnptl/libc.so was loaded at a .text base of 0x401d4380 for this run.] Version-Release number of selected component (if applicable): glibc-2.3.2-11.9 How reproducible: Always Steps to Reproduce: 1.Run testcase posix/bug-regex4. 2.Observe the second call to re_search_2() on line 47 of posix/bug-regex4.c. 3. Actual Results: Buffer overrun as in Description. Expected Results: No buffer overrun. Additional info: