Bug 88118 - buffer overrun in transit_state()/regexec.c
buffer overrun in transit_state()/regexec.c
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2003-04-05 23:39 EST by John Reiser
Modified: 2016-11-24 09:50 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-04-09 15:21:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Reiser 2003-04-05 23:39:00 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
Testcase posix/bug-regex4 accesses beyond a malloc()ed block in routine
transit_state().  The overrun happens in the second call to re_search_2:
      match[1] = re_search_2 (&regex, NULL, 0, "abc", 3, 0, 3, NULL, 3);

A concise description of the problem is:
[regexec.c:2077] (Thread 0) **READ_OVERFLOW**
>>           ch = re_string_fetch_byte (mctx->input);

  Reading overflows memory.

          |       5       | 1 |

   Reading    (r) : 0x0804c215 thru 0x0804c215 (1 byte)
   From block (b) : 0x0804c210 thru 0x0804c214 (5 bytes)
                   block allocated at regexec.c, 335
                re_search_2_stub()  regexec.c, 335
                   __re_search_2()  regexec.c, 308
                            main()  bug-regex4.c, 48

  Stack trace where the error occurred:
                   transit_state()  regexec.c, 2077
                  check_matching()  regexec.c, 1009
              re_search_internal()  regexec.c, 744
                  re_search_stub()  regexec.c, 411
                re_search_2_stub()  regexec.c, 349
                   __re_search_2()  regexec.c, 308
                            main()  bug-regex4.c, 48

The gdb traceback at the point of error is
#1  0x40280808 in transit_state (err=0xbfffea60, preg=0xbfffe8d0, 
    mctx=0xbfffe8d0, state=0x804bbd8, fl_search=1075641654) at regexec.c:2077
#2  0x4027e4fa in check_matching (preg=0xbfffea60, mctx=0xbfffe8d0, 
    fl_search=0, fl_longest_match=1) at regexec.c:1009
#3  0x4027dd70 in re_search_internal (preg=0xbfffea60, 
    string=0x804c210 "xyabd", length=5, start=2, range=3, stop=3, nmatch=1, 
    pmatch=0x804c280, eflags=0) at regexec.c:744
#4  0x4027d67b in re_search_stub (bufp=0xbfffea60, 
    string=0x3 <Address 0x3 out of bounds>, length=5, start=2, range=0, 
    stop=3, regs=0x0, ret_len=0) at regexec.c:411
#5  0x4027d51a in re_search_2_stub (bufp=0x3, string1=0x80486a1 "xya", 
    length1=134529664, string2=0x804869e "bd", length2=2, start=3, range=3, 
    regs=0x3, stop=8, ret_len=3) at regexec.c:349
#6  0x4027d421 in __re_search_2 (bufp=0x3, 
    string1=0x3 <Address 0x3 out of bounds>, length1=3, 
    string2=0x3 <Address 0x3 out of bounds>, length2=3, start=3, range=3, 
    regs=0x3, stop=3) at regexec.c:308
#7  0x08048580 in main () at bug-regex4.c:48
#8  0x401d4574 in __libc_start_main (main=0x8048410 <main>, argc=1, 
    ubp_av=0xbfffead4, init=0x80485d0 <__libc_csu_init>, fini=0x804c280, 
    rtld_fini=0x40064020, stack_end=0x804c212)
    at ../sysdeps/generic/libc-start.c:152

The code at the point of error is:
0x402807f5 <transit_state+101>:	testb  $0x8,0x1c(%esi)
0x402807f9 <transit_state+105>:	jne    0x40280b20 <transit_state+912>
0x402807ff <transit_state+111>:	mov    0xc(%edi),%ecx
0x40280802 <transit_state+114>:	mov    0x24(%ecx),%eax
0x40280805 <transit_state+117>:	mov    0x4(%ecx),%edx
0x40280808 <transit_state+120>:	movzbl (%eax,%edx,1),%edx     ##### bad access
0x4028080c <transit_state+124>:	inc    %eax
0x4028080d <transit_state+125>:	mov    %eax,0x24(%ecx)
0x40280810 <transit_state+128>:	mov    0x18(%ebp),%eax
0x40280813 <transit_state+131>:	test   %eax,%eax
0x40280815 <transit_state+133>:	mov    %dl,0xffffffd3(%ebp)
0x40280818 <transit_state+136>:	je     0x40280b15 <transit_state+901>

(gdb) p/x $edx
$2 = 0x804c212
(gdb) p/x $eax
$3 = 0x3

[glibc-2.3.2-20030313/build-i686-linuxnptl/libc.so was loaded at a .text base of
0x401d4380 for this run.]

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Run testcase posix/bug-regex4.
2.Observe the second call to re_search_2() on line 47 of posix/bug-regex4.c.

Actual Results:  Buffer overrun as in Description.

Expected Results:  No buffer overrun.

Additional info:
Comment 1 Jakub Jelinek 2003-04-09 15:21:41 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.