From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 Description of problem: Internal testcase "tst-pcre PCRE.tests" uses uninitialized memory in get_subexp(). Version-Release number of selected component (if applicable): glibc-2.3.2-101.4 How reproducible: Always Steps to Reproduce: 1. Run testcase "tst-pcre PCRE.tests" under a memory access checker. Or, run under gdb with a breakpoint on regex_internal.c:171, just after the last call to re_realloc() inside re_string_realloc_buffers(). On the 294-th hit of the breakpoint, set "awatch *(char *)(6+ ...)" where "..." is the value of new_array. The byte will be read before it is written. Actual Results: Byte is read by memcmp() in get_subexp() at regexec.c:2571 before it is written. Expected Results: No use of uninitialized byte. Additional info: Patch for bug 113421 (msg00054.html) has been applied. Insure++ symptom is: ----- [regexec.c:2571] (Thread 0) **READ_UNINIT_MEM(read)** >> if (sl_str_diff > 0 Reading uninitialized memory. Pointer : 0x4022475e In block: 0x40224758 thru 0x4022475e (7 bytes) block allocated at regex_internal.c, 169 re_string_realloc_buffers() regex_internal.c, 169 re_search_internal() regexec.c, 66 __regexec() regexec.c, 214 main() tst-pcre.c, 169 Stack trace where the error occurred: get_subexp() regexec.c, 2571 transit_state_bkref() regex_internal.c, 2445 transit_state() regexec.c, 2251 check_matching() regexec.c, 1025 re_search_internal() regexec.c, 748 __regexec() regexec.c, 214 main() tst-pcre.c, 169 Breakpoint 1, gdb_break_here () at chap0.S:70 70 chap0.S: No such file or directory. in chap0.S Current language: auto; currently asm (gdb) x/x $esp 0xbfffe864: 0x400e7793 (gdb) x/i $__ 0x400e7793 <get_subexp+291>: repz cmpsb %es:(%edi),%ds:(%esi) (gdb) p/x $edi $53 = 0x40224758 (gdb) p/x $esi $54 = 0x4022475e (gdb) bt #0 gdb_break_here () at chap0.S:70 #1 0x400e7793 in get_subexp (mctx=0x4022409c, bkref_node=6, bkref_str_idx=1075980896) at regexec.c:2571 #2 0x400e71b0 in transit_state_bkref (mctx=0xbfffef10, nodes=0x4022409c) at regexec.c:2445 #3 0x400e6ad5 in transit_state (err=0xbfffeea8, mctx=0xbfffef10, state=0x2) at regexec.c:2251 #4 0x400e47ef in check_matching (mctx=0xbfffef10, fl_longest_match=1) at regexec.c:1025 #5 0x400e40e6 in re_search_internal (preg=0x2, string=0x4021f848 "ABCABC", length=6, start=0, range=6, stop=6, nmatch=20, pmatch=0xbffff25c, eflags=0) at regexec.c:748 #6 0x400e366d in __regexec (preg=0xbffff23c, string=0x4021f848 "ABCABC", nmatch=1075988318, pmatch=0x4022475e, eflags=0) at regexec.c:214 #7 0x08048a0b in main (argc=2, argv=0x401607d8) at tst-pcre.c:169 #8 0x40040760 in __libc_start_main (main=0x8048720 <main>, argc=2, ubp_av=0xbffff390, init=0x8048ea0 <__libc_csu_init>, fini=0xbffff23c, rtld_fini=0x4021f848, stack_end=0x6) at ../sysdeps/generic/libc-start.c:205 -----
The 296-th allocation also leads to a use of uninit byte: ----- [regexec.c:2602] (Thread 0) **READ_UNINIT_MEM(read)** >> if (sl_str_off > 0 && *bkref_str++ != buf[sl_str - 1]) Reading uninitialized memory. Pointer : 0x4021dffd In block: 0x4021dff8 thru 0x4021dffd (6 bytes) block allocated at regex_internal.c, 169 re_string_realloc_buffers() regex_internal.c, 169 re_search_internal() regexec.c, 66 __regexec() regexec.c, 214 main() tst-pcre.c, 169 Stack trace where the error occurred: get_subexp() regexec.c, 2602 transit_state_bkref() regex_internal.c, 2445 transit_state() regexec.c, 2251 check_matching() regexec.c, 1025 re_search_internal() regexec.c, 748 __regexec() regexec.c, 214 main() tst-pcre.c, 169 Breakpoint 1, gdb_break_here () at chap0.S:70 70 chap0.S: No such file or directory. in chap0.S Current language: auto; currently asm (gdb) x/x $esp 0xbfffe868: 0x400e782e (gdb) x/6i $__ 0x400e782e <get_subexp+446>: movzbl (%esi),%edx 0x400e7831 <get_subexp+449>: inc %esi 0x400e7832 <get_subexp+450>: mov 0xffffffd8(%ebp),%ecx 0x400e7835 <get_subexp+453>: mov 0xffffffc8(%ebp),%edi 0x400e7838 <get_subexp+456>: cmp 0xffffffff(%edi,%ecx,1),%dl ### %dl is low byte of %edx 0x400e783c <get_subexp+460>: jne 0x400e7859 <get_subexp+489> (gdb) p/x $esi $61 = 0x4021dffd (gdb) bt #0 gdb_break_here () at chap0.S:70 #1 0x400e782e in get_subexp (mctx=0x40220194, bkref_node=3, bkref_str_idx=1075962688) at regexec.c:2602 #2 0x400e71b0 in transit_state_bkref (mctx=0xbfffef10, nodes=0x40220194) at regexec.c:2445 #3 0x400e6ad5 in transit_state (err=0xbfffeea8, mctx=0xbfffef10, state=0x0) at regexec.c:2251 #4 0x400e47ef in check_matching (mctx=0xbfffef10, fl_longest_match=1) at regexec.c:1025 #5 0x400e40e6 in re_search_internal (preg=0x0, string=0x4021f848 "Ab4ab", length=5, start=0, range=5, stop=5, nmatch=20, pmatch=0xbffff25c, eflags=0) at regexec.c:748 #6 0x400e366d in __regexec (preg=0xbffff23c, string=0x4021f848 "Ab4ab", nmatch=0, pmatch=0x0, eflags=0) at regexec.c:214 #7 0x08048a0b in main (argc=2, argv=0x401607d8) at tst-pcre.c:169 #8 0x40040760 in __libc_start_main (main=0x8048720 <main>, argc=2, ubp_av=0xbffff390, init=0x8048ea0 <__libc_csu_init>, fini=0xbffff23c, rtld_fini=0x4021f848, stack_end=0x3) at ../sysdeps/generic/libc-start.c:205 -----
http://sources.redhat.com/ml/libc-hacker/2004-01/msg00070.html
Assume fixed in current release.