#24751 - 26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size")

GNU bug report logs - #24751
26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size")

Package: emacs;

Reported by: npostavs <at> users.sourceforge.net

Date: Fri, 21 Oct 2016 03:54:01 UTC

Severity: normal

Tags: fixed, patch

Found in version 26.0.50

Fixed in version 26.1

Done: npostavs <at> users.sourceforge.net

Bug is archived. No further changes may be made.

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org> To: npostavs <at> users.sourceforge.net Cc: 24751 <at> debbugs.gnu.org Subject: bug#24751: 26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size") Date: Sun, 01 Jan 2017 20:41:57 +0200

> From: npostavs <at> users.sourceforge.net > Cc: 24751 <at> debbugs.gnu.org > Date: Sun, 01 Jan 2017 13:33:35 -0500 > > Eli Zaretskii <eliz <at> gnu.org> writes: > >> > >> /* Define MATCH_MAY_ALLOCATE unless we need to make sure that the > >> searching and matching functions should not call alloca. On some > >> systems, alloca is implemented in terms of malloc, and if we're > >> using the relocating allocator routines, then malloc could cause a > >> relocation, which might (if the strings being searched are in the > >> ralloc heap) shift the data out from underneath the regexp > >> routines. > >> > >> [...] > > > > The first part is not obsolete, but its reasoning is backwards: > > SAFE_ALLOCA indeed can call malloc, but it could only cause relocation > > if REGEX_MALLOC is defined (and ralloc.c is compiled in). And when > > you define REGEX_MALLOC, MATCH_MAY_ALLOCATE is undefined. So the text > > there should be revised. > > Is there ever any case where REGEX_MALLOC is defined? I can't see where > it happens. I don't understand the question. You can compile regex.c with the "-DREGEX_MALLOC" option whenever you like. We don't do that, but as long as the code which supports that is in regex.c, the comment goes with it. > I don't understand why you say relocation is dependent on > REGEX_MALLOC, I thought only REL_ALLOC affects that. REL_ALLOC determines whether ralloc.c is compiled in, which I mentioned above. > And since we added r_alloc_inhibit_buffer_relocation around the regex > calls, aren't all these concerns about relocation obsolete? The calls to r_alloc_inhibit_buffer_relocation are outside of regex.c, so the comments in regex.c don't know anything about that.

This bug report was last modified 8 years and 198 days ago.

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #24751 26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size")

GNU bug report logs - #24751
26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size")