From unknown Thu Jun 19 14:03:02 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#32271 <32271@debbugs.gnu.org> To: bug#32271 <32271@debbugs.gnu.org> Subject: Status: heap buffer overflow in regexp.c, line 286 Reply-To: bug#32271 <32271@debbugs.gnu.org> Date: Thu, 19 Jun 2025 21:03:02 +0000 retitle 32271 heap buffer overflow in regexp.c, line 286 reassign 32271 sed submitter 32271 project-repo severity 32271 normal tag 32271 fixed thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 25 10:33:43 2018 Received: (at submit) by debbugs.gnu.org; 25 Jul 2018 14:33:43 +0000 Received: from localhost ([127.0.0.1]:57331 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fiKrH-0007Fv-5L for submit@debbugs.gnu.org; Wed, 25 Jul 2018 10:33:43 -0400 Received: from eggs.gnu.org ([208.118.235.92]:57400) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fiKrF-0007Fj-Q1 for submit@debbugs.gnu.org; Wed, 25 Jul 2018 10:33:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fiKr7-0005a2-Kv for submit@debbugs.gnu.org; Wed, 25 Jul 2018 10:33:36 -0400 Received: from lists.gnu.org ([2001:4830:134:3::11]:52407) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fiKr7-0005Zh-Fz for submit@debbugs.gnu.org; Wed, 25 Jul 2018 10:33:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48368) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fiKr4-0000br-6a for bug-sed@gnu.org; Wed, 25 Jul 2018 10:33:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fiKr1-0005P3-6u for bug-sed@gnu.org; Wed, 25 Jul 2018 10:33:30 -0400 Received: from sender-of-o52.zoho.eu ([31.186.226.248]:21354) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fiKr0-0005Kf-QX for bug-sed@gnu.org; Wed, 25 Jul 2018 10:33:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1532529202; s=zoho; d=feusi.co; i=bugs@feusi.co; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; l=5873; bh=ULZYmNv9WhY2Lc4Dga4RCzwr22CnAgJz8zGaVuFe2a4=; b=g8cr4eRuv2jM0LdmGYBbxusmaaD74X787s1WxuCsaO6smBI99KhVmeuooA35Lbf3 jl1MN8IJ7UeAvSg8K1VsxwmewPlQxMyVfXkFSCYGnmy2nh5cTWy4p28VcbpSHuRfegk rdEW4K6eCy3JlNjNzd2hY36dKCSgUtHyMk5aXS48= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zoho; d=feusi.co; h=date:from:to:subject:message-id:mime-version:content-type:user-agent; b=eh7fLx6CvAKgMWvXW2W8Ui9zAZ73C06pfhgvuoQWlwgQkVQkuVV8792o0ZNldpgQtB8HF+y6kScR EvK695lPrR7jL+PN3ZSSqVxiEQ0oBJ8+kzN9mP29bTi3+hzWePBB64bp89gCDfhDl+Vo2r/3PqPD X4YyGGaEr8panx6Tv5U= Received: from feusi.co (194.191.249.240 [194.191.249.240]) by mx.zoho.eu with SMTPS id 1532529202226579.0383480161572; Wed, 25 Jul 2018 16:33:22 +0200 (CEST) Date: Wed, 25 Jul 2018 16:34:25 +0200 From: project-repo To: bug-sed@gnu.org Subject: heap buffer overflow in regexp.c, line 286 Message-ID: <20180725143425.GA5332@feusi.co> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Zoho-Virus-Status: 1 X-ZohoMailClient: External X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I let the fuzzer run again and it came up with a second heap buffer overflow. This time in regexp.c, line 286. Here is a backtrace as supplied by the address sanitizer: ================================================================= ==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0 READ of size 238 at 0x611000000b2f thread T0 #0 0x7fee3354c573 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573) #1 0x55aabd6d7025 in match_regex sed/regexp.c:286 #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098 #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507 #4 0x55aabd6d4d5a in process_files sed/execute.c:1677 #5 0x55aabd6ac5a2 in main sed/sed.c:377 #6 0x7fee33173a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86) #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9) 0x611000000b2f is located 0 bytes to the right of 239-byte region [0x611000000a40,0x611000000b2f) allocated by thread T0 here: #0 0x7fee335e5fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) #1 0x55aabd6dd3ea in ck_realloc sed/utils.c:418 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573) Shadow bytes around the buggy address: 0x0c227fff8110: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fa 0x0c227fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff8160: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa 0x0c227fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa 0x0c227fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7428==ABORTING This bug can be reproduced by running "sed -f min file-min". Where min and file-min are the files attached. cheers, project-repo --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=min s0^004 s5505 s5505 s5505 s5505 N W0 s5$55M s55550 s55550 s5555 D --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=file-min Content-Transfer-Encoding: quoted-printable 000000000000000000000000000000000000000000000000000000000000000000000000000= 00000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 0000000000000000000000000 0 0 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 0000000000000000000000000000000000000000000000000000 0000000 000000000000000000000000000000000000000000000000000000000000000000000000000= 00000 0 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 0000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000 00000000000000000000000000000000000000000000000000000000000000 0 --VS++wcV0S1rZb1Fb-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 25 13:16:30 2018 Received: (at 32271) by debbugs.gnu.org; 25 Jul 2018 17:16:30 +0000 Received: from localhost ([127.0.0.1]:57498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fiNOo-0004y1-2e for submit@debbugs.gnu.org; Wed, 25 Jul 2018 13:16:30 -0400 Received: from mail-it0-f43.google.com ([209.85.214.43]:54488) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fiNOm-0004xm-Gb for 32271@debbugs.gnu.org; Wed, 25 Jul 2018 13:16:28 -0400 Received: by mail-it0-f43.google.com with SMTP id s7-v6so9750140itb.4 for <32271@debbugs.gnu.org>; Wed, 25 Jul 2018 10:16:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=F2hZmVeWbCoPvdzzJH2VvAhvnjnU17UCX29NlYc2hII=; b=Wu9ks8QyqGvZXWbZTPdCBVxMgaIvk5dcv+LEU1Bw0khMO0iT3npNHL8TWipzQLFDBb A3rec2ZBjzuY9Eoxd8SCXWL9HogOdysOrcQ4GzncrZJ43ZUxHSyqTqRG9oZ3MKcaRM8H ynO6l9LfRGV2I343ik8QmLKR3S7/Az7VEqPz0sv4IwOHQgrSGoio3vslqJRMwmRQMA3Z DnwvPMSt+y/7MdpHeqopXdbrU8tSNpmxn8M974UFqhiBn2CdB14i/L/YQAM1+AG3vbc/ Qgi7AcCb4xArk/uDw/iEtPVKVUburIHgAsqYVeFN/Rt6zYqWNbtr56kwef3b6Ae85aKl bTCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=F2hZmVeWbCoPvdzzJH2VvAhvnjnU17UCX29NlYc2hII=; b=RqpLWDlW9bR8pKxlDdIfzCr32fYX0vPqierRhY1yJhtSJksde/+BCtAlQlUuKnGlnY iZAeBBdZ75EeK9R6kpsrw2mlYOnYzV3FyE+vqLDgrBLUCdDi8X2daYWX6U6Y2rG3gZsv Tcsq0oaG9iSPRFdVCJ94J2wLf4yXSdyUNVGa4gA3Uo76W25Vk9JDNp0r5HFjVaZ4ZJed yySZKYgKfdfb5tTC5wsIR8c6UMx4xuVFfn4dq76wn2nFFXbgFRgiBw8RCSFYKTpjMH/u YFkDaPkL0lHDgpvYAzQr9YL0si/IPtP5au/RReGPxcHJUkx15S4TuZ1HrV6+O8FtgCFP cKtQ== X-Gm-Message-State: AOUpUlFwzNQlV4gkUpMke/sP45ZugoAux5v9O6J5jkf+H0Cn685RJY12 mGtG+GwAoXr7ZLR0qn/XJeLK3G3f X-Google-Smtp-Source: AAOMgpctMsMORAe1iVsAnXT3wLVfHj1fQridpw/0ZXlW9Web1dNpeKrXrWT2Yw+JlHC2yC6mwn6SKg== X-Received: by 2002:a24:2b86:: with SMTP id h128-v6mr7053435ita.14.1532538982618; Wed, 25 Jul 2018 10:16:22 -0700 (PDT) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id i199-v6sm2608259ita.11.2018.07.25.10.16.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jul 2018 10:16:21 -0700 (PDT) Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286 To: project-repo , 32271@debbugs.gnu.org References: <20180725143425.GA5332@feusi.co> From: Assaf Gordon Message-ID: <0457c635-33ae-21af-dacf-a879ae8d3065@gmail.com> Date: Wed, 25 Jul 2018 11:16:20 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20180725143425.GA5332@feusi.co> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 32271 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, On 25/07/18 08:34 AM, project-repo wrote: > I let the fuzzer run again and it came up with a second heap buffer > overflow. This time in regexp.c, line 286. Here is a backtrace as > supplied by the address sanitizer: Thanks again. I can reproduce it locally. It will take me couple of days to get to the bottom of it, will send updates soon. regards, - assaf From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 27 06:13:26 2018 Received: (at 32271) by debbugs.gnu.org; 27 Jul 2018 10:13:26 +0000 Received: from localhost ([127.0.0.1]:59598 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fizkJ-00070t-Pf for submit@debbugs.gnu.org; Fri, 27 Jul 2018 06:13:26 -0400 Received: from mail-pl0-f42.google.com ([209.85.160.42]:37263) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fizkF-00070d-Th for 32271@debbugs.gnu.org; Fri, 27 Jul 2018 06:13:12 -0400 Received: by mail-pl0-f42.google.com with SMTP id 31-v6so2134358plc.4 for <32271@debbugs.gnu.org>; Fri, 27 Jul 2018 03:13:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=CdeuCjEpcOJfa6s9aqaUPEl9/7edTN5zfwfhDt6g7AA=; b=bin040hUbPGofie1uiTpbtAHUJjGT+szoGK9JITY3cTZm8+LQCkyy/ofj0g2ulx6Bc WuzK5TwhF3l8bG87EdrMYNjOnZkYCyzfCnkvu+sESbzPwYBHI/Cfv8HChlW1xgENSMBH nHQNuJiIH4FH+Ix/guDvlHmrXc9zrNWnK195RWEU0siJC7uXqEV8YMKHU4HTroDmoZ85 fefrSxSIWK5mBm4cVuCyPSzasWTXrf05f7LsJs+yqLN4cZvFzqIBp9NHRqPuHSINg4B3 /WmKL5WPqehQCDNFqU8tS42NbfzX1aAVlyVRTz6yi95lELuBA70VDE9q/DzZntEnhLzJ ZR9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=CdeuCjEpcOJfa6s9aqaUPEl9/7edTN5zfwfhDt6g7AA=; b=pQjyvCwvFmAh8UO78qxfDVphDDc0DkNFrNv/hqQ6hFA8tV2UPaa1EmB6NxMkcBkLfY IkHBX8EYyHldU+8uN2Jmu8i1Cm3e0AjHbyo93xl458clGT50Pun5r5Jw8BI8dM2NWrHT KYmoesuNF05opGq2U1FpgOZ1qeBpQd1NKIma/RRw7YLkX2tGWuX74hof8yPgXfN8JdRB /HRFdJOq9qbOFS+WZWKx1wd9uEbdxqUuLiQNubC9qRD3CzlhlLqmlb6CYRCetN9ZP8YQ r1ObB8aj/nnrpt1vK0wacKBvJGhAMBJr74JyB0zOq6TfonEM7Xd/0d47zdCjeLuPCZsz 8sFQ== X-Gm-Message-State: AOUpUlFnl3NRTkgg050WR2Jy/G48BXk3WIcwVmCjaT5/pQ8CGZN3imRU OXek23qgtvOjE8yPew+T25O+zJIl X-Google-Smtp-Source: AAOMgpeHA2uBUN2m/ZYsd4YuVTX7/NNXgs0EA+zqkTyV/SlxgLyjeihdRsG01Hk482aU3l6XvP25Sg== X-Received: by 2002:a17:902:900b:: with SMTP id a11-v6mr5474090plp.143.1532686385728; Fri, 27 Jul 2018 03:13:05 -0700 (PDT) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id c1-v6sm4541932pgp.34.2018.07.27.03.13.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 03:13:04 -0700 (PDT) Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286 To: project-repo , 32271@debbugs.gnu.org References: <20180725143425.GA5332@feusi.co> From: Assaf Gordon Message-ID: <5b365cd0-80b6-15d0-52a3-51c3a9c730cd@gmail.com> Date: Fri, 27 Jul 2018 04:13:03 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20180725143425.GA5332@feusi.co> Content-Type: multipart/mixed; boundary="------------AB585D208FCE89B53EDF83BF" Content-Language: en-US X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32271 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --------------AB585D208FCE89B53EDF83BF Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Hello, On 25/07/18 08:34 AM, project-repo wrote: > I let the fuzzer run again and it came up with a second heap buffer > overflow. This time in regexp.c, line 286. Here is a backtrace as > supplied by the address sanitizer: > > ================================================================= > ==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0 > READ of size 238 at 0x611000000b2f thread T0 > #0 0x7fee3354c573 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573) > #1 0x55aabd6d7025 in match_regex sed/regexp.c:286 > #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098 > #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507 > #4 0x55aabd6d4d5a in process_files sed/execute.c:1677 > #5 0x55aabd6ac5a2 in main sed/sed.c:377 > #6 0x7fee33173a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86) > #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9) Once again, great work - you indirectly found a 15-year-old bug, in addition to the above heap buffer overflow. The two attached patches should explain it in detail. As these changes are somewhat subtle, I encourage everyone to double-check them... comments welcomed, - assaf --------------AB585D208FCE89B53EDF83BF Content-Type: text/x-patch; name="0001-sed-fix-extraneous-NUL-in-s-n-command.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-sed-fix-extraneous-NUL-in-s-n-command.patch" >From d6b43e5e1763bccf664e8afda4c4556ef5009d19 Mon Sep 17 00:00:00 2001 From: Assaf Gordon Date: Fri, 27 Jul 2018 01:56:26 -0600 Subject: [PATCH 1/2] sed: fix extraneous NUL in s///n command Under certain conditions sed would add an extraneous NUL: $ echo 0 | sed -e 's/$/a/2' | od -tx1 -An 30 00 0a This would happen when the regex is an empty (zero-length) match at the end of the line (e.g. '$' and 'a*$') and the substitute number flag ('n' in s///n) is higher than the number of actual matches (multiple EOL matches are possible with multiline match, e.g. 's/$/a/3m'). Details: The comment at the top of 'execute.c:do_subst()' says: /* The first part of the loop optimizes s/xxx// when xxx is at the start, and s/xxx$// */ Which refers to lines 1051-3: 1051 /* Copy stuff to the left of this match into the output string. */ 1052 if (start < offset) 1053 str_append(&s_accum, line.active + start, offset - start); The above code appends text to 's_accum' but does *not* update 'start'. Later on, if the s/// command includes 'n' flag, and if 'matched == 0' (an empty match), this comparison will be incorrect: 1081 if (start < line.length) 1082 matched = 1; Will in turn will set 'matched' to 1, and the 'str_append' call that follows (line 1087) will append an additional character. Because the empty match is EOL, the appended character is NUL. More examples that trigger the bug: echo 0 | sed -e 's/a*$/X/3' printf "%s\n" 0 0 0 | sed -e 'N;N;s/a*$/X/4m' Examples that do not trigger the bug: # The 'a*' empty regex matches at the beginning of the line (in # addition to the end of the line), and the optimization in line # 1052 is skipped. echo 0 | sed -e 's/a*/X/3' # There are 3 EOLs in the pattern space, s///3 is not too large. printf "%s\n" 0 0 0 | sed -e 'N;N;s/a*$/X/3m' This was discovered while investigating bug#32271 reported by bugs@feusi.co in https://lists.gnu.org/r/bug-sed/2018-07/msg00018.html . * NEWS: Mention the fix. * sed/execute.c (do_subst): Update 'start' as needed. * testsuite/bug-32271-1.sh: New test. * testsuite/local.mk (T): Add test. --- NEWS | 3 +++ sed/execute.c | 5 ++++- testsuite/bug32271-1.sh | 45 +++++++++++++++++++++++++++++++++++++++++++++ testsuite/local.mk | 1 + 4 files changed, 53 insertions(+), 1 deletion(-) create mode 100755 testsuite/bug32271-1.sh diff --git a/NEWS b/NEWS index ac166dd..f9293f3 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,9 @@ GNU sed NEWS -*- outline -*- sed no longer accesses invalid memory (heap overflow) when given invalid backreferences in 's' command [bug#32082, present at least since sed-4.0.6]. + sed no longer adds extraneous NUL when given s/$//n command. + [related to bug#32271, present since sed-4.0.7] + * Noteworthy changes in release 4.5 (2018-03-31) [stable] diff --git a/sed/execute.c b/sed/execute.c index a608f7d..f0a1e04 100644 --- a/sed/execute.c +++ b/sed/execute.c @@ -1050,7 +1050,10 @@ do_subst(struct subst *sub) /* Copy stuff to the left of this match into the output string. */ if (start < offset) - str_append(&s_accum, line.active + start, offset - start); + { + str_append(&s_accum, line.active + start, offset - start); + start = offset; + } /* If we're counting up to the Nth match, are we there yet? And even if we are there, there is another case we have to diff --git a/testsuite/bug32271-1.sh b/testsuite/bug32271-1.sh new file mode 100755 index 0000000..99a0934 --- /dev/null +++ b/testsuite/bug32271-1.sh @@ -0,0 +1,45 @@ +#!/bin/sh +# sed would incorrectly copy internal buffers under certain s/// uses. +# Before sed 4.6 these would result in an extraneous NUL at end of lines. +# + +# Copyright (C) 2018 Free Software Foundation, Inc. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +. "${srcdir=.}/testsuite/init.sh"; path_prepend_ ./sed +print_ver_ sed + +printf '0\n' > in || framework_failure_ +printf '0\n' > exp || framework_failure_ + +# Before sed 4.6, this would result in: 0x30 0x00 0x0a. +sed -e 's/$/a/2' in > out 2> err || fail=1 + +compare exp out || fail=1 +compare /dev/null err || fail=1 + +# To ease debugging / error reporting (the above 'compare' +# will report "binary file differ" - not very helpful here) +if test -n "$fail" ; then + echo "---- TEST FAILED" + echo "out:" + od -tx1 out + echo "exp:" + od -tx1 exp + echo "err:" + od -tx1 err +fi + + +Exit $fail diff --git a/testsuite/local.mk b/testsuite/local.mk index bf4559f..1181a0c 100644 --- a/testsuite/local.mk +++ b/testsuite/local.mk @@ -44,6 +44,7 @@ LOG_COMPILER = false T = \ testsuite/misc.pl \ testsuite/bug32082.sh \ + testsuite/bug32271-1.sh \ testsuite/cmd-l.sh \ testsuite/cmd-R.sh \ testsuite/colon-with-no-label.sh \ -- 2.11.0 --------------AB585D208FCE89B53EDF83BF Content-Type: text/x-patch; name="0002-sed-fix-heap-buffer-overflow-from-multiline-EOL-rege.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename*0="0002-sed-fix-heap-buffer-overflow-from-multiline-EOL-rege.pa"; filename*1="tch" >From c4863b9ab18fd4a25679182d8045f8ef18efccd1 Mon Sep 17 00:00:00 2001 From: Assaf Gordon Date: Fri, 27 Jul 2018 02:19:41 -0600 Subject: [PATCH 2/2] sed: fix heap buffer overflow from multiline EOL regex optimization sed would access invalid memory when matching EOF combined with s///n flag: $ yes 0 | fmt -w 40 | head -n2 | valgrind sed 'N;s/$//2m' ==13131== Conditional jump or move depends on uninitialised value(s) ==13131== at 0x4C3002B: memchr (vg_replace_strmem.c:883) ==13131== by 0x1120BD: match_regex (regexp.c:286) ==13131== by 0x110736: do_subst (execute.c:1101) ==13131== by 0x1115D3: execute_program (execute.c:1591) ==13131== by 0x111A4C: process_files (execute.c:1774) ==13131== by 0x112E1C: main (sed.c:405) ==13131== ==13131== Invalid read of size 1 ==13131== at 0x4C30027: memchr (vg_replace_strmem.c:883) ==13131== by 0x1120BD: match_regex (regexp.c:286) ==13131== by 0x110736: do_subst (execute.c:1101) ==13131== by 0x1115D3: execute_program (execute.c:1591) ==13131== by 0x111A4C: process_files (execute.c:1774) ==13131== by 0x112E1C: main (sed.c:405) ==13131== Address 0x55ec765 is 0 bytes after a block of size 101 alloc'd ==13131== at 0x4C2DDCF: realloc (vg_replace_malloc.c:785) ==13131== by 0x113BA2: ck_realloc (utils.c:418) ==13131== by 0x10E682: resize_line (execute.c:154) ==13131== by 0x10E6F0: str_append (execute.c:165) ==13131== by 0x110779: do_subst (execute.c:1106) ==13131== by 0x1115D3: execute_program (execute.c:1591) ==13131== by 0x111A4C: process_files (execute.c:1774) ==13131== by 0x112E1C: main (sed.c:405) ==13131== The ^/$ optimization code added in v4.2.2-161-g6dea75e called memchr() using 'buflen', ignoring the value of 'buf_start_offset' (which, if not zero, reduces the number of bytes available for the search). Reported by bugs@feusi.co (bug#32271) in https://lists.gnu.org/r/bug-sed/2018-07/msg00018.html . * NEWS: Mention the fix. * sed/regexp.c (match_regex): Use correct buffer length in memchr(). * testsuite/bug-32271-2.sh: Test using valgrind. * testsuite/local.mk (T): Add new test. --- NEWS | 3 ++ sed/regexp.c | 3 +- testsuite/bug32271-2.sh | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ testsuite/local.mk | 1 + 4 files changed, 81 insertions(+), 1 deletion(-) create mode 100755 testsuite/bug32271-2.sh diff --git a/NEWS b/NEWS index f9293f3..8f5c37c 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,9 @@ GNU sed NEWS -*- outline -*- sed no longer adds extraneous NUL when given s/$//n command. [related to bug#32271, present since sed-4.0.7] + sed no longer accesses invalid memory (heap overflow) with s/$//n regexes. + [bug#32271, present since sed-4.3]. + * Noteworthy changes in release 4.5 (2018-03-31) [stable] diff --git a/sed/regexp.c b/sed/regexp.c index f7c2851..323898a 100644 --- a/sed/regexp.c +++ b/sed/regexp.c @@ -283,7 +283,8 @@ match_regex(struct regex *regex, char *buf, size_t buflen, const char *p = NULL; if (regex->flags & REG_NEWLINE) - p = memchr (buf + buf_start_offset, buffer_delimiter, buflen); + p = memchr (buf + buf_start_offset, buffer_delimiter, + buflen - buf_start_offset); offset = p ? p - buf : buflen; } diff --git a/testsuite/bug32271-2.sh b/testsuite/bug32271-2.sh new file mode 100755 index 0000000..d6e50ce --- /dev/null +++ b/testsuite/bug32271-2.sh @@ -0,0 +1,75 @@ +#!/bin/sh +# sed would access uninitialized memory for certain regexes. +# Before sed 4.6 these would result in "Conditional jump or move depends on +# uninitialised value(s)" and "Invalid read of size 1" +# by valgrind from regexp.c:286 + +# Copyright (C) 2018 Free Software Foundation, Inc. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +. "${srcdir=.}/testsuite/init.sh"; path_prepend_ ./sed +print_ver_ sed + +require_valgrind_ + +# 40 characters ensures valgrind detects the bug +# (with less than 25 - it does not). +z=0000000000000000000000000000000000000000 + +printf '%s\n' $z $z > in || framework_failure_ +printf '%s\n' $z $z > exp || framework_failure_ + +# Before sed-4.6, this would fail with: +# [...] +# ==13131== Conditional jump or move depends on uninitialised value(s) +# ==13131== at 0x4C3002B: memchr (vg_replace_strmem.c:883) +# ==13131== by 0x1120BD: match_regex (regexp.c:286) +# ==13131== by 0x110736: do_subst (execute.c:1101) +# ==13131== by 0x1115D3: execute_program (execute.c:1591) +# ==13131== by 0x111A4C: process_files (execute.c:1774) +# ==13131== by 0x112E1C: main (sed.c:405) +# ==13131== +# ==13131== Invalid read of size 1 +# ==13131== at 0x4C30027: memchr (vg_replace_strmem.c:883) +# ==13131== by 0x1120BD: match_regex (regexp.c:286) +# ==13131== by 0x110736: do_subst (execute.c:1101) +# ==13131== by 0x1115D3: execute_program (execute.c:1591) +# ==13131== by 0x111A4C: process_files (execute.c:1774) +# ==13131== by 0x112E1C: main (sed.c:405) +# ==13131== Address 0x55ec765 is 0 bytes after a block of size 101 alloc'd +# ==13131== at 0x4C2DDCF: realloc (vg_replace_malloc.c:785) +# ==13131== by 0x113BA2: ck_realloc (utils.c:418) +# ==13131== by 0x10E682: resize_line (execute.c:154) +# ==13131== by 0x10E6F0: str_append (execute.c:165) +# ==13131== by 0x110779: do_subst (execute.c:1106) +# ==13131== by 0x1115D3: execute_program (execute.c:1591) +# ==13131== by 0x111A4C: process_files (execute.c:1774) +# ==13131== by 0x112E1C: main (sed.c:405) +valgrind --quiet --error-exitcode=1 \ + sed -e 'N; s/$//m2' in > out 2> err || fail=1 + +# Work around a bug in CentOS 5.10's valgrind +# FIXME: remove in 2018 or when CentOS 5 is no longer officially supported +grep 'valgrind: .*Assertion.*failed' err-no-posix > /dev/null \ + && skip_ 'you seem to have a buggy version of valgrind' + +compare exp out || fail=1 +compare /dev/null err || fail=1 + +echo "valgrind report:" +echo "==================================" +cat err +echo "==================================" + +exit $fail diff --git a/testsuite/local.mk b/testsuite/local.mk index 1181a0c..6d0a74d 100644 --- a/testsuite/local.mk +++ b/testsuite/local.mk @@ -45,6 +45,7 @@ T = \ testsuite/misc.pl \ testsuite/bug32082.sh \ testsuite/bug32271-1.sh \ + testsuite/bug32271-2.sh \ testsuite/cmd-l.sh \ testsuite/cmd-R.sh \ testsuite/colon-with-no-label.sh \ -- 2.11.0 --------------AB585D208FCE89B53EDF83BF-- From debbugs-submit-bounces@debbugs.gnu.org Thu Aug 02 11:16:13 2018 Received: (at 32271) by debbugs.gnu.org; 2 Aug 2018 15:16:13 +0000 Received: from localhost ([127.0.0.1]:39140 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1flFKl-0004kM-NR for submit@debbugs.gnu.org; Thu, 02 Aug 2018 11:16:13 -0400 Received: from mail-wr1-f46.google.com ([209.85.221.46]:35540) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1flFKk-0004kA-As for 32271@debbugs.gnu.org; Thu, 02 Aug 2018 11:16:10 -0400 Received: by mail-wr1-f46.google.com with SMTP id a3-v6so2529244wrt.2 for <32271@debbugs.gnu.org>; Thu, 02 Aug 2018 08:16:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=GKLRX6u3z5IloYRG96PCzWc74ZY/JwRGgK5p0hhagig=; b=B5PbPkIpV7WDFzkLZnXwybagVj5AeLsXm1wPhyNK9C+yLuli+yq2VR+pEieKZ+jjW1 vibd789kDvTahQTBQYJrhobWv5uXypclQNcerwvQ0YrmiZgZss+2OazT8ciDrFtmHQKG jXClTNkgPafllGuAb3wjwOLqKl9zDKoPRlQTDYiC/sk+cu/BD4lc1j07DBC5d2PLu/H9 4h5nqmE3b0OUBDOIIg5CRJbkFbsMCxpN35QyYpwpj8jIEmQ9gbuPqruaVFZIoPBoh4VK sxLmcqybZ7hh/NA4NNp5f1kC73+xU7Ge7QGhlejBgG0tRWDqauDRpB6lG6AxOJvtjbXH DLmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=GKLRX6u3z5IloYRG96PCzWc74ZY/JwRGgK5p0hhagig=; b=d68GC9oTP1TkFDDtOviSRhfDwbG6gutoFd9DnJ9rI6d4DYaLtCY3F3RL+QNimdxYs7 1/0lZco7iEkZvtOcDubmYrZfdW9jSnDOxeL6MTvXlXneRl4Yb0g9Yy4nWdzJHz/5jdXX EyJrGUGMOIr5JPfZNZotiPwOlivUpMWi+FtytoJylas5PAu4F7+MPq6ibShanEZlJclD U29YsFTMZZ86Dkl5W4G/oXKn5LxbSwUeP+NaZQ8iFVxdaQ1GVMvgWD2jaMfIBV1GLSgp NacbSJ8/qw2cbThk1v3PimaIYzMPgS53z418TPwKK8kVw+8yspNiYVPYT3yPHHPwyVIf TNvg== X-Gm-Message-State: AOUpUlHzBKaUhHAOpirAAhur/BfLEaShLRvFJRykmfdTxyf9S3XZOvW8 0rVTVZ09U33tYKgEqP5cM95OEmUAv2qUHvdUNEg= X-Google-Smtp-Source: AAOMgpc3bzJ+2sNBL1T7fOT079ZOiX+/nmE+AbmlP0BPm+bUjz7OKm7jNRJ0tKmZF/fyfHXGFDc/wBG3gEa0+wZLOko= X-Received: by 2002:adf:fdcd:: with SMTP id i13-v6mr2239604wrs.276.1533222964672; Thu, 02 Aug 2018 08:16:04 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:adf:ec4e:0:0:0:0:0 with HTTP; Thu, 2 Aug 2018 08:15:43 -0700 (PDT) In-Reply-To: <5b365cd0-80b6-15d0-52a3-51c3a9c730cd@gmail.com> References: <20180725143425.GA5332@feusi.co> <5b365cd0-80b6-15d0-52a3-51c3a9c730cd@gmail.com> From: Jim Meyering Date: Thu, 2 Aug 2018 17:15:43 +0200 X-Google-Sender-Auth: nXDOtgV5jPE3VbAbApPh3_6xolU Message-ID: Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286 To: Assaf Gordon Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32271 Cc: project-repo , 32271@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Fri, Jul 27, 2018 at 12:13 PM, Assaf Gordon wrote: > Hello, > > On 25/07/18 08:34 AM, project-repo wrote: >> >> I let the fuzzer run again and it came up with a second heap buffer >> overflow. This time in regexp.c, line 286. Here is a backtrace as >> supplied by the address sanitizer: >> >> ================================================================= >> ==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address >> 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0 >> READ of size 238 at 0x611000000b2f thread T0 >> #0 0x7fee3354c573 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573) >> #1 0x55aabd6d7025 in match_regex sed/regexp.c:286 >> #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098 >> #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507 >> #4 0x55aabd6d4d5a in process_files sed/execute.c:1677 >> #5 0x55aabd6ac5a2 in main sed/sed.c:377 >> #6 0x7fee33173a86 in __libc_start_main >> (/lib/x86_64-linux-gnu/libc.so.6+0x21a86) >> #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9) > > > Once again, great work - you indirectly found a 15-year-old bug, > in addition to the above heap buffer overflow. > > The two attached patches should explain it in detail. > > As these changes are somewhat subtle, I encourage everyone to > double-check them... Fine work, yet again. Thank you! I did spot one nit: the addition of two leading TAB bytes in the latter patch. Should be 8 spaces, of course: - str_append(&s_accum, line.active + start, offset - start);$ +^I{$ + str_append(&s_accum, line.active + start, offset - start);$ + start = offset;$ +^I}$ $ And in the added test, an even smaller comment nit: add an "s" after file: - will report "binary file differ" + will report "binary files differ" From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 03 21:58:56 2018 Received: (at 32271) by debbugs.gnu.org; 4 Aug 2018 01:58:57 +0000 Received: from localhost ([127.0.0.1]:40327 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fllqK-0002HA-MZ for submit@debbugs.gnu.org; Fri, 03 Aug 2018 21:58:56 -0400 Received: from mail-io0-f177.google.com ([209.85.223.177]:40959) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fllqJ-0002Gs-4Y; Fri, 03 Aug 2018 21:58:55 -0400 Received: by mail-io0-f177.google.com with SMTP id l14-v6so6544806iob.7; Fri, 03 Aug 2018 18:58:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=IaBQHiqbtCq2ElRqXrCn9CS77x8MxKH7pyNpJi0qzZA=; b=lF5VM41acWyBkizS5CVHAOwt/3AyTbCVyncEK7idmFdogsePe5gzu8l8SgFy7vqiCS fcuO6+wiXiAw8IVu4rdUOgglBubNykjbhdrLeC7tM3x9mfFzNWzVVQef0hHRKaE7VPh2 Ha5RXEoAVvJKhNUkvyujK8b6s176K8qXIVdzQV723JB/4+9klJJax5wenLGLf5Ajtt/i DPSQ/cRlFszu6L2ILRSECtm+xbFQqCeAbCtRHX7fEtabwy2qgtn8xePWk9sHRHgZT2Hx l74nGc0tcOiCuA+P9hBgztCHQmdvrLRMIDILle0WfiUnpMCp8XtNLQWKAjudn+z8XF24 yysg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=IaBQHiqbtCq2ElRqXrCn9CS77x8MxKH7pyNpJi0qzZA=; b=QR5I6JE9yMhes/R0jBfYOR4ZYn+VCNQMGmJhpeOezDtDZ96KomTTPAMkWLTvjiKxGi kbhcJh6Dgn7sf907TxvrWnUQu4yPN4rbkibFOONfPFzZcn6njmO8vRsy99KpYkESojsC NFsYpzmtSNX+2+ZGWj+5Uyt80ctoyJfKsDfCyIae/ym0rLEc6v8JHjNuvNm57ahOKDIO BzELsCncTXjPy4f+6GGiG0C/CIvQdMVw5vMIExrtM1ILOGpI1AGrLkd1YLxmEkYb80Cb s6LV47XZtvH1rZDNNv5j3/0zZltE6I49ZKhl/oh3dTmYteFZjP7iQWNNjyzoEE5HayDm 3dLg== X-Gm-Message-State: AOUpUlEBTyJi8seN/tyVIzv1E2okkmCDSlpHGKWtu1/mJ0fTwO4rAp4q /shREsgVaWCdhen72nGyxE3tU8OT X-Google-Smtp-Source: AA+uWPxot/lER51vwUEUkop2tRL/AyGCkGrm1JHNnwF8zYVVwQnPpNNavrJH50aEMUeU3j1Pmu6HRA== X-Received: by 2002:a6b:dd01:: with SMTP id f1-v6mr8024255ioc.45.1533347929114; Fri, 03 Aug 2018 18:58:49 -0700 (PDT) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id n142-v6sm2045963itb.3.2018.08.03.18.58.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Aug 2018 18:58:47 -0700 (PDT) Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286 To: Jim Meyering References: <20180725143425.GA5332@feusi.co> <5b365cd0-80b6-15d0-52a3-51c3a9c730cd@gmail.com> From: Assaf Gordon Message-ID: <8e5df8c2-24b1-c45f-3882-075666bbfa05@gmail.com> Date: Fri, 3 Aug 2018 19:58:46 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32271 Cc: project-repo , 32271@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 32271 fixed close 32271 stop On 02/08/18 09:15 AM, Jim Meyering wrote: > On Fri, Jul 27, 2018 at 12:13 PM, Assaf Gordon wrote: >> On 25/07/18 08:34 AM, project-repo wrote: >>> >>> I let the fuzzer run again and it came up with a second heap buffer >>> overflow. This time in regexp.c, line 286. Here is a backtrace as >>> supplied by the address sanitizer: >>> >> The two attached patches should explain it in detail. >> >> As these changes are somewhat subtle, I encourage everyone to >> double-check them... > > Fine work, yet again. Thank you! > I did spot one nit: the addition of two leading TAB bytes in the > latter patch. Should be 8 spaces, of course: Thanks for the review. Pushed here: https://git.savannah.gnu.org/cgit/sed.git/commit/?id=2cb09e14 https://git.savannah.gnu.org/cgit/sed.git/commit/?id=007a4176 -assaf From unknown Thu Jun 19 14:03:02 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 01 Sep 2018 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator