Bug 171379 - echo | /bin/grep -P "^\s+$" segfaults
Summary: echo | /bin/grep -P "^\s+$" segfaults
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: grep
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: Mike McLean
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 178252 187539
TreeView+ depends on / blocked
 
Reported: 2005-10-21 12:00 UTC by Bastien Nocera
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-03-22 16:56:12 UTC


Attachments (Terms of Use)
grep-ignore-empty-matches.patch (423 bytes, patch)
2005-10-21 12:00 UTC, Bastien Nocera
no flags Details | Diff
grep-P.patch (378 bytes, patch)
2006-02-03 15:48 UTC, Tim Waugh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0223 normal SHIPPED_LIVE grep bug fix update 2006-07-19 19:20:00 UTC

Description Bastien Nocera 2005-10-21 12:00:10 UTC
grep-2.5.1-24.5

The segfault can also be reproduced with:
/bin/grep -P "^\s+$" file.txt
with file.txt being a file with a single carriage-return.

The stack trace looks like:
(gdb) run -P "^\s+$" file.txt
Starting program: /bin/grep -P "^\s+$" file.txt

Program received signal SIGSEGV, Segmentation fault.
0x00d1242d in match (eptr=0x1 <Address 0x1 out of bounds>, ecode=0x893bcfa
"\021>", offset_top=2, md=0xbfe02970, ims=2,
   eptrb=0xbfe02668, flags=Variable "flags" is not available.
) at ./pcre.c:7496
7496              if ((md->ctypes[*eptr++] & ctype_space) == 0)
RRETURN(MATCH_NOMATCH);
(gdb) bt
#0  0x00d1242d in match (eptr=0x1 <Address 0x1 out of bounds>, ecode=0x893bcfa
"\021>", offset_top=2, md=0xbfe02970, ims=2,
   eptrb=0xbfe02668, flags=Variable "flags" is not available.
) at ./pcre.c:7496
#1  0x00d0f24a in match (eptr=0x1 <Address 0x1 out of bounds>, ecode=0x893bcf4
"L", offset_top=2, md=0xbfe02970, ims=Variable "ims" is not available.
)
   at ./pcre.c:5716
#2  0x00d14c5a in pcre_exec (external_re=0x893bcd8, extra_data=0x0, subject=0x1
<Address 0x1 out of bounds>,
   length=143900672, start_offset=0, options=0, offsets=0xbfe02a10,
offsetcount=300) at ./pcre.c:8251
#3  0x080552b8 in Pexecute (buf=0x1 <Address 0x1 out of bounds>, size=143900672,
mb_cache=0xbfe02f70, match_size=0xd12404,
   exact=0) at search.c:776
#4  0x0804a850 in grepbuf (beg=Variable "beg" is not available.
) at grep.c:752
#5  0x0804b50f in grepfile (file=0xbff01a72 "file.txt", stats=0x805a4a0) at
grep.c:845
#6  0x0804c759 in main (argc=4, argv=0xbfe03104) at grep.c:1787
#7  0x00342e23 in __libc_start_main () from /lib/tls/libc.so.6
#8  0x08049981 in _start ()

and in Pexecute() (before that), the retval of memchr isn't checked (it is NULL,
and blindly incremented).

Comment 1 Bastien Nocera 2005-10-21 12:00:10 UTC
Created attachment 120250 [details]
grep-ignore-empty-matches.patch

Comment 2 Tim Waugh 2006-02-03 15:48:04 UTC
Created attachment 124107 [details]
grep-P.patch

The real fix

Comment 10 Red Hat Bugzilla 2006-03-22 16:56:13 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0223.html



Note You need to log in before you can comment on or make changes to this bug.