Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 13 Oct 2001 21:57:42 -0700
From:      mki <mki@mozone.net>
To:        freebsd-hackers@FreeBSD.org
Subject:   regcomp, bounds overrun in computematchjumps
Message-ID:  <20011013215742.C9543@cyclonus.mozone.net>
index | next in thread | raw e-mail 

Here's a wierd problem i ran into with regcomp, using the attached
test program linked against libefence.  Am I missing something obvious,
other than the fact that it is a "not-so-correct" regex?  Also, the
stranger part is that when the /10 is replaced with /11 (YMMV) the
problem doesn't occur.

#include <stdio.h>
#include <sys/types.h>
#include <regex.h>

int main(int argc, char **argv) {
  regex_t       preg;
  int           r;
  char          errbuf[512];

  r = regcomp(&preg, "127.0.0.1/10", REG_NOSUB|REG_EXTENDED|REG_ICASE);
  if ( r != 0 ) {
    regerror(r, &preg, errbuf, sizeof(errbuf));
    printf("couldn't compile regex pattern, %s\n", errbuf);
    return -1;
  }

  return 0;
}

Program received signal SIGBUS, Bus error.
0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
2048                    ssuffix = pmatches[ssuffix];
(gdb) where
#0  0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
#1  0x8048fe8 in regcomp (preg=0xbfbff70c, pattern=0x804da20 "127.0.0.1/10", cflags=7) at regcomp.c:281
#2  0x8048d08 in main (argc=1, argv=0xbfbff770) at test.c:10
#3  0x8048c5d in _start ()
(gdb) frame 0
#0  0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
2048                    ssuffix = pmatches[ssuffix];
(gdb) l
2043                    while (suffix <= ssuffix && suffix < g->mlen) {
2044                            g->matchjump[suffix] = MIN(g->matchjump[suffix],
2045                                g->mlen + ssuffix - suffix);
2046                            suffix++;
2047                    }
2048                    ssuffix = pmatches[ssuffix];
2049            }
2050
2051            free(pmatches);
2052    }
(gdb) print ssuffix
$1 = 4
(gdb) l 2000
1995
1996            /* Avoid making errors worse */
1997            if (p->error != 0)
1998                    return;
1999
2000            pmatches = (int*) malloc(g->mlen * sizeof(unsigned int));
2001            if (pmatches == NULL) {
2002                    g->matchjump = NULL;
2003                    return;
2004            }
(gdb) print g->mlen
$2 = 4
(gdb) print pmatches[0]
$3 = 3
(gdb) print pmatches[1]
$4 = 3
(gdb) print pmatches[2]
$5 = 3
(gdb) print pmatches[3]
$6 = 4
(gdb) print pmatches[4]
Error accessing memory address 0x2810d000: Bad address.
(gdb) print ssuffix
$7 = 4
(gdb) 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011013215742.C9543>