From owner-freebsd-bugs@FreeBSD.ORG Wed Sep 13 21:20:28 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4459616A4A0 for ; Wed, 13 Sep 2006 21:20:28 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B93A443D46 for ; Wed, 13 Sep 2006 21:20:27 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8DLKRN3034642 for ; Wed, 13 Sep 2006 21:20:27 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8DLKRDn034641; Wed, 13 Sep 2006 21:20:27 GMT (envelope-from gnats) Date: Wed, 13 Sep 2006 21:20:27 GMT Message-Id: <200609132120.k8DLKRDn034641@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: "Devon H. O'Dell" Cc: Subject: Re: bin/102299: grep(1) malloc abuse? X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Devon H. O'Dell" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 21:20:28 -0000 The following reply was made to PR bin/102299; it has been noted by GNATS. From: "Devon H. O'Dell" To: bug-followup@FreeBSD.org, matthias.andree@gmx.de, Thomas Quinot , tjr@FreeBSD.org Cc: Subject: Re: bin/102299: grep(1) malloc abuse? Date: Wed, 13 Sep 2006 17:12:26 -0400 This is a multi-part message in MIME format. --------------050600010302050802000303 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Turns out the problem is in libgnuregex. The attached patch solves the problem. I followed the instructions from FREEBSD-upgrade, removing the release tag, and the current vendor branch does not fix this issue. Attached is a patch that fixes the issue for me and doesn't seem to cause any regressions whatsoever. Patch also available at http://databits.net/~dho/regex_internal.patch I'm not sure whether submitting this patch to the vendor is terribly useful, since this is part of glibc in Linux and their malloc doesn't have this behavior. Kind regards, Devon H. O'Dell --------------050600010302050802000303 Content-Type: text/plain; name="regex_internal.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="regex_internal.patch" --- gnu/lib/libregex/regex_internal.c.old Wed Sep 13 16:23:37 2006 +++ gnu/lib/libregex/regex_internal.c Wed Sep 13 16:22:55 2006 @@ -1501,9 +1501,17 @@ int i; newstate->hash = hash; - err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem); - if (BE (err != REG_NOERROR, 0)) - return REG_ESPACE; + + /* + * Allocating with a length of 0 has undefined behavior, and we recover from + * this error later on in the function. So don't do it. + */ + if (newstate->nodes.nelem != 0) { + err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem); + if (BE (err != REG_NOERROR, 0)) + return REG_ESPACE; + } + for (i = 0; i < newstate->nodes.nelem; i++) { int elem = newstate->nodes.elems[i]; --------------050600010302050802000303--