Bug 142060 - regexec check_dst_limits() overruns array
regexec check_dst_limits() overruns array
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-06 18:33 EST by John Reiser
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-07 09:23:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Reiser 2004-12-06 18:33:24 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
$ cd build-i686-linuxnptl/posix; LD_LIBRARY_PATH=.. valgrind
--tool=memcheck ./bug-regex11
==3398== Memcheck, a memory error detector for x86-linux.
==3398== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==3398== Using valgrind-2.2.0, a program supervision framework for
x86-linux.
==3398== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==3398== For more details, rerun with: -v
==3398==
==3398== Invalid read of size 4
==3398==    at 0x1B9A9764: check_dst_limits (regexec.c:1901)
==3398==    by 0x1B9AEA6C: sift_states_backward (regexec.c:1643)
==3398==    by 0x1B9AF460: update_cur_sifted_state (regexec.c:2149)
==3398==    by 0x1B9AE83B: sift_states_backward (regexec.c:1556)
==3398==  Address 0x1BB5245C is not stack'd, malloc'd or (recently) free'd
==3398==
==3398== Invalid read of size 1
==3398==    at 0x1B9A975B: check_dst_limits (regexec.c:1934)
==3398==    by 0x1B9AEA6C: sift_states_backward (regexec.c:1643)
==3398==    by 0x1B9AF460: update_cur_sifted_state (regexec.c:2149)
==3398==    by 0x1B9AE83B: sift_states_backward (regexec.c:1556)
==3398==  Address 0x1BB5246C is 4 bytes before a block of size 1440
alloc'd
==3398==    at 0x1B9054FA: realloc (vg_replace_malloc.c:197)
==3398==    by 0x1B9AD248: get_subexp_sub (regexec.c:4172)
==3398==    by 0x1B9AD568: transit_state_bkref (regexec.c:2704)
==3398==    by 0x1B9AE48D: merge_state_with_log (regexec.c:2336)


Version-Release number of selected component (if applicable):
glibc-2.3.3-87

How reproducible:
Always

Steps to Reproduce:
1. Run the internal testcase posix/bug-regex11 under memcheck (valgrind).
2.
3.
    

Actual Results:  Two complaints from memcheck.

Expected Results:  No complaints from memcheck.


Additional info:
Comment 1 Jakub Jelinek 2004-12-07 09:23:59 EST
http://sources.redhat.com/ml/libc-alpha/2004-11/msg00189.html
That patch did not make it into glibc-2.3.3-87 just because I forgot, it is
now in CVS HEAd and will be in 2.3.3-88.

Note You need to log in before you can comment on or make changes to this bug.