GNU bug report logs - #32271
heap buffer overflow in regexp.c, line 286

Previous Next

Package: sed;

Reported by: project-repo <bugs <at> feusi.co>

Date: Wed, 25 Jul 2018 14:34:01 UTC

Severity: normal

Tags: fixed

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 32271 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Assaf Gordon <assafgordon <at> gmail.com>
Cc: project-repo <bugs <at> feusi.co>, 32271 <at> debbugs.gnu.org
Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286
Date: Thu, 2 Aug 2018 17:15:43 +0200

On Fri, Jul 27, 2018 at 12:13 PM, Assaf Gordon <assafgordon <at> gmail.com> wrote:
> Hello,
>
> On 25/07/18 08:34 AM, project-repo wrote:
>>
>> I let the fuzzer run again and it came up with a second heap buffer
>> overflow. This time in regexp.c, line 286. Here is a backtrace as
>> supplied by the address sanitizer:
>>
>> =================================================================
>> ==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0
>> READ of size 238 at 0x611000000b2f thread T0
>>      #0 0x7fee3354c573  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573)
>>      #1 0x55aabd6d7025 in match_regex sed/regexp.c:286
>>      #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098
>>      #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507
>>      #4 0x55aabd6d4d5a in process_files sed/execute.c:1677
>>      #5 0x55aabd6ac5a2 in main sed/sed.c:377
>>      #6 0x7fee33173a86 in __libc_start_main
>> (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
>>      #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9)
>
>
> Once again, great work - you indirectly found a 15-year-old bug,
> in addition to the above heap buffer overflow.
>
> The two attached patches should explain it in detail.
>
> As these changes are somewhat subtle, I encourage everyone to
> double-check them...

Fine work, yet again. Thank you!
I did spot one nit: the addition of two leading TAB bytes in the
latter patch. Should be 8 spaces, of course:

-        str_append(&s_accum, line.active + start, offset - start);$
+^I{$
+          str_append(&s_accum, line.active + start, offset - start);$
+          start = offset;$
+^I}$
$

And in the added test, an even smaller comment nit: add an "s" after file:
- will report "binary file differ"
+ will report "binary files differ"
This bug report was last modified 6 years and 291 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.