From unknown Tue Aug 19 10:09:17 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15307: minor fix to dfa.c Resent-From: Aharon Robbins Original-Sender: "Debbugs-submit" Resent-CC: bug-grep@gnu.org Resent-Date: Sun, 08 Sep 2013 09:54:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 15307 X-GNU-PR-Package: grep X-GNU-PR-Keywords: To: 15307@debbugs.gnu.org X-Debbugs-Original-To: bug-grep@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.13786340303553 (code B ref -1); Sun, 08 Sep 2013 09:54:02 +0000 Received: (at submit) by debbugs.gnu.org; 8 Sep 2013 09:53:50 +0000 Received: from localhost ([127.0.0.1]:48787 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VIbgk-0000vF-Bu for submit@debbugs.gnu.org; Sun, 08 Sep 2013 05:53:50 -0400 Received: from eggs.gnu.org ([208.118.235.92]:36604) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VIbgh-0000v2-Su for submit@debbugs.gnu.org; Sun, 08 Sep 2013 05:53:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VIbgT-0007HO-2x for submit@debbugs.gnu.org; Sun, 08 Sep 2013 05:53:42 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_MANY_HDRS_LCASE autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:40166) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VIbgT-0007HJ-0O for submit@debbugs.gnu.org; Sun, 08 Sep 2013 05:53:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38315) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VIbgL-0005Fb-KC for bug-grep@gnu.org; Sun, 08 Sep 2013 05:53:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VIbg9-0007Eq-CV for bug-grep@gnu.org; Sun, 08 Sep 2013 05:53:25 -0400 Received: from mxout5.netvision.net.il ([194.90.6.65]:34097) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VIbg9-0007ES-50 for bug-grep@gnu.org; Sun, 08 Sep 2013 05:53:13 -0400 MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from skeeve.com ([89.139.142.158]) by mxout5.netvision.net.il (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPS id <0MSS004AUWSLYKA0@mxout5.netvision.net.il> for bug-grep@gnu.org; Sun, 08 Sep 2013 12:53:10 +0300 (IDT) Received: from skeeve.com (skeeve.com [127.0.0.1]) by skeeve.com (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r889r8LZ005012 for ; Sun, 08 Sep 2013 11:53:08 +0200 Received: (from arnold@localhost) by skeeve.com (8.14.4/8.14.4/Submit) id r889r7ql005011 for bug-grep@gnu.org; Sun, 08 Sep 2013 11:53:07 +0200 From: Aharon Robbins Message-id: <201309080953.r889r7ql005011@skeeve.com> Date: Sun, 08 Sep 2013 11:53:07 +0200 User-Agent: Heirloom mailx 12.5 6/20/10 X-detected-operating-system: by eggs.gnu.org: Solaris 10 X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.3 (---) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.4 (---) The following fix to dfa.c was suggested by a static checking tool. I'm applying it in the gawk code base. Basically, it's theoretically possible for len to have run off the end of the `str' array. Thanks, Arnold diff --git a/dfa.c b/dfa.c index 8b79eb7..490a075 100644 --- a/dfa.c +++ b/dfa.c @@ -1038,7 +1038,8 @@ parse_bracket_exp (void) /* This is in any case an invalid class name. */ str[0] = '\0'; } - str[len] = '\0'; + if (len < BRACKET_BUFFER_SIZE) + str[len] = '\0'; /* Fetch bracket. */ FETCH_WC (c, wc, _("unbalanced [")); From unknown Tue Aug 19 10:09:17 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15307: minor fix to dfa.c Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-grep@gnu.org Resent-Date: Sun, 08 Sep 2013 18:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15307 X-GNU-PR-Package: grep X-GNU-PR-Keywords: To: Aharon Robbins Cc: 15307@debbugs.gnu.org Received: via spool by 15307-submit@debbugs.gnu.org id=B15307.137866329919937 (code B ref 15307); Sun, 08 Sep 2013 18:02:02 +0000 Received: (at 15307) by debbugs.gnu.org; 8 Sep 2013 18:01:39 +0000 Received: from localhost ([127.0.0.1]:49202 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VIjIo-0005BV-Bt for submit@debbugs.gnu.org; Sun, 08 Sep 2013 14:01:38 -0400 Received: from mail-pb0-f53.google.com ([209.85.160.53]:36169) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VIjIm-0005BI-5v for 15307@debbugs.gnu.org; Sun, 08 Sep 2013 14:01:36 -0400 Received: by mail-pb0-f53.google.com with SMTP id up15so5178981pbc.40 for <15307@debbugs.gnu.org>; Sun, 08 Sep 2013 11:01:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=BANb6DwDSc/yCy1i7iJ6vSEVUTpQ8eLzd7Cq7B8r/3Y=; b=Z2kEcH7U8unCcWqZNH3Oww5I6bS6gKkRWXoXuPRS7ZJi7/brPsltEtCkFA9vX5XTKm LKDEV8z+vgbah5Nh9P0pe0dra+01as3vQgavZvFFEoFjHF06F9pwg1fpbBMCtV/HErOM 17bbdBMJbwER9oGNlx3K9KCV0GV1Fk8Us0N3gYI4ao/IrHauQw8IGQCtCSnDV+0pXb66 5Pr3j54tlgQflt5/samiZRWyMlvmCSi6AhzILzWuceS5xksOAxE25vNmAGhaXcgmgMrp JtKn5T0U8FebJ5PTlBuUgrG3CJETydhIY4vybo5ilwx3VlCGgZxumUnfTMtwidUTMMh+ eBlQ== X-Received: by 10.66.182.36 with SMTP id eb4mr3619116pac.125.1378663290063; Sun, 08 Sep 2013 11:01:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.6.164 with HTTP; Sun, 8 Sep 2013 11:01:08 -0700 (PDT) In-Reply-To: <201309080953.r889r7ql005011@skeeve.com> References: <201309080953.r889r7ql005011@skeeve.com> From: Jim Meyering Date: Sun, 8 Sep 2013 11:01:08 -0700 X-Google-Sender-Auth: qLFpD1Uav80OinA4gG-BEe2nIuY Message-ID: Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Sun, Sep 8, 2013 at 2:53 AM, Aharon Robbins wrote: > The following fix to dfa.c was suggested by a static checking tool. > I'm applying it in the gawk code base. > > Basically, it's theoretically possible for len to have run off the end > of the `str' array. ... > diff --git a/dfa.c b/dfa.c > index 8b79eb7..490a075 100644 > --- a/dfa.c > +++ b/dfa.c > @@ -1038,7 +1038,8 @@ parse_bracket_exp (void) > /* This is in any case an invalid class name. */ > str[0] = '\0'; > } > - str[len] = '\0'; > + if (len < BRACKET_BUFFER_SIZE) > + str[len] = '\0'; > > /* Fetch bracket. */ > FETCH_WC (c, wc, _("unbalanced [")); Hi Arnold, Thanks, but that makes it look like "str" will instead fail to be NUL-terminated, in which case the following strcmp (aka STREQ) would overrun the buffer. Yes, this is all theoretical, but still... I see that the current limit is 31: $ for i in 30 31 32 33; do printf "$i "; src/grep -E '[[:'$(perl -e 'print "a"x'$i)':]]'; done 30 src/grep: Invalid character class name 31 src/grep: Invalid character class name 32 src/grep: Unmatched [ or [^ 33 src/grep: Unmatched [ or [^ So I propose this patch instead: >From f1e1fb2c5c1538c313f8488ef687b9a96684f54e Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sun, 8 Sep 2013 10:49:52 -0700 Subject: [PATCH] dfa: appease a static analyzer, and save 95 stack bytes * src/dfa.c (MAX_BRACKET_STRING_LEN): Rename from BRACKET_BUFFER_SIZE and decrease from 128 to 32. (parse_bracket_exp): Add one byte more than MAX_BRACKET_STRING_LEN to the length of "str" buffer, to avoid appearance that we may store the trailing NUL beyond the end of buffer. A string of length 32 or greater is rejected by earlier processing, so would never reach this code. Addresses http://bugs.gnu.org/15307 --- src/dfa.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/dfa.c b/src/dfa.c index ad38d3b..b447a8a 100644 --- a/src/dfa.c +++ b/src/dfa.c @@ -975,8 +975,8 @@ parse_bracket_exp (void) dfa is ever called. */ if (c == '[' && (syntax_bits & RE_CHAR_CLASSES)) { -#define BRACKET_BUFFER_SIZE 128 - char str[BRACKET_BUFFER_SIZE]; +#define MAX_BRACKET_STRING_LEN 32 + char str[MAX_BRACKET_STRING_LEN + 1]; FETCH_WC (c1, wc1, _("unbalanced [")); /* If pattern contains '[[:', '[[.', or '[[='. */ @@ -990,7 +990,7 @@ parse_bracket_exp (void) FETCH_WC (c, wc, _("unbalanced [")); if ((c == c1 && *lexptr == ']') || lexleft == 0) break; - if (len < BRACKET_BUFFER_SIZE) + if (len < MAX_BRACKET_STRING_LEN) str[len++] = c; else /* This is in any case an invalid class name. */ -- 1.8.4.99.gd2dbd39 From unknown Tue Aug 19 10:09:17 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15307: minor fix to dfa.c Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-grep@gnu.org Resent-Date: Wed, 11 Sep 2013 15:38:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15307 X-GNU-PR-Package: grep X-GNU-PR-Keywords: To: Aharon Robbins Cc: 15307@debbugs.gnu.org Received: via spool by 15307-submit@debbugs.gnu.org id=B15307.137891384220007 (code B ref 15307); Wed, 11 Sep 2013 15:38:01 +0000 Received: (at 15307) by debbugs.gnu.org; 11 Sep 2013 15:37:22 +0000 Received: from localhost ([127.0.0.1]:55879 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VJmTp-0005Cd-JP for submit@debbugs.gnu.org; Wed, 11 Sep 2013 11:37:21 -0400 Received: from mail-pb0-f47.google.com ([209.85.160.47]:33570) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VJmTn-0005CN-6b for 15307@debbugs.gnu.org; Wed, 11 Sep 2013 11:37:20 -0400 Received: by mail-pb0-f47.google.com with SMTP id rr4so9175281pbb.20 for <15307@debbugs.gnu.org>; Wed, 11 Sep 2013 08:37:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=RWAvcKkZSfVVs8J3jEC5WcfGRaIg1TesskJ7x3Lr0zQ=; b=I1z7hDALYVgIdKQW/2caGVSFdvhWYFMdkY5Kr2xIGLTDJElJcL1sqM2InNQ03icj6B r5togwFzbeJEIYeU1s112HWwc+nDeA1Y+3O46KBqBcGWX3aHBsvDXRZSTf5tC78mM6Rm XnyR52/MSYnmxlYHN/ZJaa2BILCfu/um5XIrr2jw1hY/3gQ+pjUhLc6A9IQjmyv+7Yup 5XCgK0qxglnboHDWAyFnpDv71RCxX5TxJTv6Mxdxt9irxZoDvJIlhqRqd2OcH2ob6RBU hjf05oosctNs9p2rs/oArfnCBmeFcvnOc5E/2r7LcqTnNMojV9z6ONV5LA2z9AGt91Qq hrvQ== X-Received: by 10.67.23.164 with SMTP id ib4mr4489011pad.42.1378913832879; Wed, 11 Sep 2013 08:37:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.6.164 with HTTP; Wed, 11 Sep 2013 08:36:52 -0700 (PDT) In-Reply-To: References: <201309080953.r889r7ql005011@skeeve.com> From: Jim Meyering Date: Wed, 11 Sep 2013 08:36:52 -0700 X-Google-Sender-Auth: qgQpHI7y6iEYPKT_WlfGLs6JTgg Message-ID: Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Sun, Sep 8, 2013 at 11:01 AM, Jim Meyering wrote: > On Sun, Sep 8, 2013 at 2:53 AM, Aharon Robbins wrote: >> The following fix to dfa.c was suggested by a static checking tool. >> I'm applying it in the gawk code base. >> >> Basically, it's theoretically possible for len to have run off the end >> of the `str' array. >>... > > Hi Arnold, > > Thanks, but that makes it look like "str" will instead fail to be > NUL-terminated, > in which case the following strcmp (aka STREQ) would overrun the buffer. > Yes, this is all theoretical, but still... > > I see that the current limit is 31: > > $ for i in 30 31 32 33; do printf "$i "; src/grep -E '[[:'$(perl -e > 'print "a"x'$i)':]]'; done > 30 src/grep: Invalid character class name > 31 src/grep: Invalid character class name > 32 src/grep: Unmatched [ or [^ > 33 src/grep: Unmatched [ or [^ > > So I propose this patch instead: Hi Arnold, I was going to push that change, but then realized I didn't know which static analysis tool you were referring to. Which was it? From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 27 20:21:05 2013 Received: (at control) by debbugs.gnu.org; 28 Oct 2013 00:21:05 +0000 Received: from localhost ([127.0.0.1]:47905 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VaaZs-0000zb-7L for submit@debbugs.gnu.org; Sun, 27 Oct 2013 20:21:04 -0400 Received: from mail-pb0-f45.google.com ([209.85.160.45]:62646) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VaaZp-0000z1-S7 for control@debbugs.gnu.org; Sun, 27 Oct 2013 20:21:02 -0400 Received: by mail-pb0-f45.google.com with SMTP id ma3so2155892pbc.18 for ; Sun, 27 Oct 2013 17:20:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=xIAbIUvdHxtLXoUME1Jcui6vvsX/6CcaQ0Jk9CH5L3Q=; b=fcAa7hIAvzKMcoyBWCdaJDUwrXkUbxj1Nj8nhElglI+cJYB/XhuODt4U1FBm0rTcqN bgFeZKW8t6HFbdvGSdCu8/3gFVf63CoMarodzOX/ZYe2MOM7XB6Nmw114sk9mAZyMfOB qxJ/qzNy8N/YqMzBKb9/mRYqGDxTf451kpwWx30VsblZoDpT9rEyASrY63ROnv8/mbjr ITqja9Y7DnGfL5YBH35LR8IlyD8AV3pbBIxkIhboLJVj463mT7XtL32tpkyAw47dXKYb chDcJ6LLjZpto0/5jJlXdUZn4bGDW6LWp6u470RFhAWl5LzdzGcNlP+Nu2LZGMtHUI9j t9NQ== X-Received: by 10.67.4.197 with SMTP id cg5mr22525916pad.10.1382919656110; Sun, 27 Oct 2013 17:20:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.6.66 with HTTP; Sun, 27 Oct 2013 17:20:35 -0700 (PDT) From: Jim Meyering Date: Sun, 27 Oct 2013 17:20:35 -0700 X-Google-Sender-Auth: Q1i4AgwbYEKddh9oMQA4K320oHs Message-ID: Subject: mark many issues as non-bugs, and close even more To: control@debbugs.gnu.org Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) If you think I've marked or closed a bug inappropriately, please let me know. tags 15438 15439 15441 15486 15656 15664 15677 15690 15726 notabug close 15307 close 15438 close 15439 close 15440 close 15441 close 15486 close 15527 close 15656 close 15664 close 15677 close 15690 close 15724 close 15726 done