From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: s with i modifier seems to work incorrectly
Resent-From: Saito Takaaki <tails.saito@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 30 Aug 2018 14:44:01 +0000
Resent-Message-ID: <handler.32592.B.15356402186388@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: 32592@debbugs.gnu.org
X-Debbugs-Original-To: bug-sed@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.15356402186388
          (code B ref -1); Thu, 30 Aug 2018 14:44:01 +0000
Received: (at submit) by debbugs.gnu.org; 30 Aug 2018 14:43:38 +0000
Received: from localhost ([127.0.0.1]:39292 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fvOAb-0001ex-TX
	for submit@debbugs.gnu.org; Thu, 30 Aug 2018 10:43:38 -0400
Received: from eggs.gnu.org ([208.118.235.92]:50232)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <tails.saito@gmail.com>) id 1fvIMp-0002uJ-U7
 for submit@debbugs.gnu.org; Thu, 30 Aug 2018 04:31:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <tails.saito@gmail.com>) id 1fvIMk-0001DO-48
 for submit@debbugs.gnu.org; Thu, 30 Aug 2018 04:31:46 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:36892)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <tails.saito@gmail.com>)
 id 1fvIMj-0001DI-UP
 for submit@debbugs.gnu.org; Thu, 30 Aug 2018 04:31:45 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42981)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <tails.saito@gmail.com>) id 1fvIMi-0008HB-Th
 for bug-sed@gnu.org; Thu, 30 Aug 2018 04:31:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <tails.saito@gmail.com>) id 1fvIMh-0001CO-EO
 for bug-sed@gnu.org; Thu, 30 Aug 2018 04:31:44 -0400
Received: from mail-it0-x236.google.com ([2607:f8b0:4001:c0b::236]:36360)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <tails.saito@gmail.com>)
 id 1fvIMh-0001C5-9H
 for bug-sed@gnu.org; Thu, 30 Aug 2018 04:31:43 -0400
Received: by mail-it0-x236.google.com with SMTP id u13-v6so1597186iti.1
 for <bug-sed@gnu.org>; Thu, 30 Aug 2018 01:31:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=VjCQDJs8lCPID8rmFd+QX5u18bk2nkxsAYMLVkylrEg=;
 b=EP5DXWMEyHTXsI4TR3GoxtgE8Lfxu3//bU26mjXn6lLkCYgHzWK7zugBpKPiTeOZyG
 QCYzbEzHWljv+y59neThFXo3KI/rAx+mSPd6/51lbmrplT0REag1mIiY+VRyv90p4Esj
 rzlff0Hh1/hjLIrZdvwhmK+OeyDOCn597oII7Jvp6hwsqw+DTwL+JdZ7wB/I7KDDceOC
 w96T/CntqDZ6zS/wFpjEw7eOosUZeC8jo/YS7uLue66vYhuVZNbzEwuHPh6XmzxJDCN6
 7S5xsbnjGeM321wdaNc/jCR15pbKoBMhN9EdiLHMFWPx+nywkOe4ag/UAmMlC4w2yH/6
 iXtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=VjCQDJs8lCPID8rmFd+QX5u18bk2nkxsAYMLVkylrEg=;
 b=aKKBdhfqskeF3P/sF+OCWYlCKZYlKi7DbyIWeCP709ZVgoFp+EynGsHatUtmEnuplK
 3f5x0ubhALqs0c7FnL2bQrq3zhhKNQUUDERJ0Evf1l1jxzBGm2APzOqb3xx1axFirEKY
 kDzgvQ2Uv8fH32UiCwYAn5fzm7LgtRICARRjcROXmv9RMD2TaUFRG2pCyU2O5X+Zn++b
 VCQ04W9PYeA6UTOuKFGtzHZtJ0ZsfakFQlxFPq388NjedOFUaIYxNYVisMNzb2N6gjFt
 6Xex26oCNOLrSiaJEBo/dioF9NZSphQkEcyhbf3uLq4DxIrnZTnXwrXzmQQ+jdPJ8/r4
 IFPg==
X-Gm-Message-State: APzg51CowTMJlnLHNOi1JEWWnNX+q29jIGQDeXADc5vYm9OEvpFNPaL6
 r1Eupcu3goGJwow2GS1jHZW8Y/RpKeEaRKkRTXtIDjE=
X-Google-Smtp-Source: ANB0VdaASKpn7FtUMhy8mtyZCJsMT1a+tX/O0NOR5C0Rl6HkZiLpOkIizyCEuzpp1Tno4+XCtFd/uq7hRcRL5SYO4Ks=
X-Received: by 2002:a24:fe86:: with SMTP id
 w128-v6mr1360537ith.52.1535617902374; 
 Thu, 30 Aug 2018 01:31:42 -0700 (PDT)
MIME-Version: 1.0
From: Saito Takaaki <tails.saito@gmail.com>
Date: Thu, 30 Aug 2018 17:31:29 +0900
Message-ID: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Mailman-Approved-At: Thu, 30 Aug 2018 10:43:36 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Greetings,

I guess the "s" command, when "i" flag is supplied,
does not work correctly in some cases.

Assuming the following Bash command as an example:

    echo abcdefghijkl | sed 'h;G;s/\(a.*\).*\1/(\1)/i'

the expected output is:

    (abcdefghijkl)

(The command would output it as expected if the final "i"
flag were not supplied.)
However, the actual output is [1][2]:

    (abcdefg)hijkl

or [3]:

    (abcdefgh)ijkl

[1] sed (GNU sed) 4.4 Packaged by Cygwin (4.4-1)
  on Cygwin/Windows 10 (32bit)

[2] GNU sed version 4.2.1 on Debian wheezy/sid (32bit)

[3] sed (GNU sed) 4.4.2 on CentOS 7 (64bit)

I'm sorry I haven't tested that with the latest sed 4.5.

Thank you very much for your attention.

-- 
Takaaki Saito




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: s with i modifier seems to work incorrectly
Resent-From: bill-auger <bill-auger@peers.community>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 30 Aug 2018 18:29:02 +0000
Resent-Message-ID: <handler.32592.B.153565373327499@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: 32592@debbugs.gnu.org
X-Debbugs-Original-To: bug-sed@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.153565373327499
          (code B ref -1); Thu, 30 Aug 2018 18:29:02 +0000
Received: (at submit) by debbugs.gnu.org; 30 Aug 2018 18:28:53 +0000
Received: from localhost ([127.0.0.1]:39408 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fvRga-00079T-Rs
	for submit@debbugs.gnu.org; Thu, 30 Aug 2018 14:28:53 -0400
Received: from eggs.gnu.org ([208.118.235.92]:57362)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bill-auger@peers.community>) id 1fvRfh-00077u-FR
 for submit@debbugs.gnu.org; Thu, 30 Aug 2018 14:27:57 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <bill-auger@peers.community>) id 1fvRfb-0004nt-I5
 for submit@debbugs.gnu.org; Thu, 30 Aug 2018 14:27:52 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: *
X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_00,DATE_IN_PAST_03_06,
 RCVD_IN_SORBS_HTTP,RCVD_IN_SORBS_SOCKS,T_DKIM_INVALID autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:54309)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <bill-auger@peers.community>)
 id 1fvRfb-0004np-EG
 for submit@debbugs.gnu.org; Thu, 30 Aug 2018 14:27:51 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50108)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <bill-auger@peers.community>) id 1fvRfa-0005fX-MH
 for bug-sed@gnu.org; Thu, 30 Aug 2018 14:27:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <bill-auger@peers.community>) id 1fvRfW-0004jf-MD
 for bug-sed@gnu.org; Thu, 30 Aug 2018 14:27:50 -0400
Received: from sub5.mail.dreamhost.com ([208.113.200.129]:33034
 helo=homiemail-a59.g.dreamhost.com)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <bill-auger@peers.community>)
 id 1fvRfW-0004iN-Cn
 for bug-sed@gnu.org; Thu, 30 Aug 2018 14:27:46 -0400
Received: from homiemail-a59.g.dreamhost.com (localhost [127.0.0.1])
 by homiemail-a59.g.dreamhost.com (Postfix) with ESMTP id 6B954E00091A
 for <bug-sed@gnu.org>; Thu, 30 Aug 2018 11:27:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=peers.community; h=date
 :from:to:subject:message-id:in-reply-to:references:mime-version
 :content-type:content-transfer-encoding; s=peers.community; bh=L
 1BJyt4McL3FrNvdTPaKESUkkH0=; b=ZMvUy8Tca7Uvg5iHurm71D0iKAtaz8OuU
 OvTa3cnMzcSIVizniYFpQZoa0ne/q3EoSM8Gq5hl4PDom7lolADHpOmpgbWvm0pO
 P+WWkNduH2f2E9GG+CGv9YFJL4rWK1CcFrPFePG/aWZwcQDjcpaqCEAz4mLjDeWO
 AMgoA2oke0=
Received: from localhost (75-138-187-221.dhcp.oxfr.ma.charter.com
 [75.138.187.221])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: bill-auger@peers.community)
 by homiemail-a59.g.dreamhost.com (Postfix) with ESMTPSA id 1B5F0E000903
 for <bug-sed@gnu.org>; Thu, 30 Aug 2018 11:27:43 -0700 (PDT)
Date: Thu, 30 Aug 2018 14:27:23 +0000
From: bill-auger <bill-auger@peers.community>
Message-ID: <20180830142723.68310a18@peers.community>
In-Reply-To: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
Organization: peers.community
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; i686-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no
 timestamps) [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: 1.0 (+)
X-Mailman-Approved-At: Thu, 30 Aug 2018 14:28:52 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

On Thu, 30 Aug 2018 17:31:29 +0900
Saito Takaaki <tails.saito@gmail.com> wrote:
> Assuming the following Bash command as an example:
>     echo abcdefghijkl | sed 'h;G;s/\(a.*\).*\1/(\1)/i'
> the expected output is:
>     (abcdefghijkl)
> However, the actual output is [1][2]:
>     (abcdefg)hijkl

np with GNU sed 4.5 on parabola (archlinux)

$ echo abcdefghijkl | sed 'h;G;s/\(a.*\).*\1/(\1)/i'
(abcdefghijkl)

$ sed --version
sed (GNU sed) 4.5




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: s with i modifier seems to work incorrectly
Resent-From: Assaf Gordon <assafgordon@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Tue, 04 Sep 2018 23:18:01 +0000
Resent-Message-ID: <handler.32592.B32592.15361030267305@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Saito Takaaki <tails.saito@gmail.com>, 32592@debbugs.gnu.org, bill-auger <bill-auger@peers.community>, Eric Blake <eblake@redhat.com>, Jim Meyering <jim@meyering.net>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.15361030267305
          (code B ref 32592); Tue, 04 Sep 2018 23:18:01 +0000
Received: (at 32592) by debbugs.gnu.org; 4 Sep 2018 23:17:06 +0000
Received: from localhost ([127.0.0.1]:46135 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxKZG-0001tP-5r
	for submit@debbugs.gnu.org; Tue, 04 Sep 2018 19:17:06 -0400
Received: from mail-it0-f45.google.com ([209.85.214.45]:36587)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <assafgordon@gmail.com>) id 1fxKZE-0001nl-2A
 for 32592@debbugs.gnu.org; Tue, 04 Sep 2018 19:17:04 -0400
Received: by mail-it0-f45.google.com with SMTP id u13-v6so7105675iti.1
 for <32592@debbugs.gnu.org>; Tue, 04 Sep 2018 16:17:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=aTVDGHTinENwL8qKtk31DI7h+okXuNLRv0nbdrBVkKw=;
 b=iqBcPB0oT4FDLR3u9XGp0B3sMsDvyVfBYzIUuX1YJmAXwqwFdTQjRG4Wy/fZbWWOe9
 ioJehLKI+Tk5xdySilQQJhY1Wi5To5N+XcLR7ZVeNeRxw2QCaefmdTDliUFyDW2v3UWn
 sk+02Hxk5OUxiEReaOtJOxYV023nRMuyrcBR2Lujb96V7JlO8IIIjMafFeYt537yxiyV
 BHNjMnCzYeksyd/3O1HhwHZiS37HDBmMrANLYx8JdMmAjs95A/fYYlC5MLS4wVSERVI1
 G1XdDlWXLQ9DzYQhZyBhUmdvV59SNN+3VkgIISk0ZsV2IsmpyzyGwjYIpmrezGF7mo8q
 qf0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=aTVDGHTinENwL8qKtk31DI7h+okXuNLRv0nbdrBVkKw=;
 b=Xb0LA/mAHCx0K1n+Yf268m/sm3Q7kk6W5UNqsliYZjJCMlMJ689M4zI3O5FLGREoew
 uNqULPhuR0tW7F0O10R0HZjhU8eLgq1fO06tPXryrO8iIXpZpcwnqx/mjrMENwX/+Hh4
 qKGs5zycdlsXDpnVxdE16YHLmZjXhlymm4/wP/OK95w9YXEbT+mRJBlcMR9O59pq+CJF
 3TmBwhZkkqzGQIBhwF1poim+64oAGqvCiBu4vC2KQvA+JL5XT/cj6YSWQo7008brnjnt
 qAWaghuHfeiPREaDRpWoVEhCXQYdzgQF3YPYP9CNyTv2G3VSQRK6EqUchrqUS95XDg2U
 IaMg==
X-Gm-Message-State: APzg51Cao3r6o97VWYsGVBRp6dWmgAGZUtGXhMD/9pcmyCns3eMN4rFo
 U8TNRVU+AyewfAcVDHcS7nk=
X-Google-Smtp-Source: ANB0VdYT0lVtCSkJCQPkjojT3BPXqAOQeNcBSwhz/4K2oSwnmywG8RT588mwsCFx2EOKJsIvwp4AxA==
X-Received: by 2002:a02:344:: with SMTP id
 y65-v6mr25178255jad.121.1536103018594; 
 Tue, 04 Sep 2018 16:16:58 -0700 (PDT)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
 by smtp.googlemail.com with ESMTPSA id
 t134-v6sm234622itb.41.2018.09.04.16.16.56
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 04 Sep 2018 16:16:57 -0700 (PDT)
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
From: Assaf Gordon <assafgordon@gmail.com>
Message-ID: <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
Date: Tue, 4 Sep 2018 17:16:56 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

On 30/08/18 02:31 AM, Saito Takaaki wrote:
> I guess the "s" command, when "i" flag is supplied, does not work
> correctly in some cases.
> 
> Assuming the following Bash command as an example:
> 
> echo abcdefghijkl | sed 'h;G;s/\(a.*\).*\1/(\1)/i'

Thank you for reporting this issue with specific details
to easily reproduce it, and thanks to you Bill for a quick test on the
latest sed version.

I can confirm that this is an old bug in sed (technically: in gnulib)
which was fixed sometime between version 4.3 and 4.4 .

Specifically, this commit fixed the issue (by updating gnulib):
https://git.savannah.gnu.org/cgit/sed.git/commit/?id=44d99bf5c98ea77de0addf55ad7fe281396de996

In gnulib, these are updated changes and they include several
fixes to the regex/dfa code:

https://git.savannah.gnu.org/cgit/gnulib.git/log/?qt=range&q=a3fd683d..85bd3ab6

I have not tried to pin-point the exact change which fixed the issue.

> [1] sed (GNU sed) 4.4 Packaged by Cygwin (4.4-1) on Cygwin/Windows 10
> (32bit)

I don't have access to 32bit cygwin, but on 64bit cygwin (windows 7) 
with sed-4.4-1 I do not experience the bug - can you confirm it still 
happens even in sed-4.4 ?

> [2] GNU sed version 4.2.1 on Debian wheezy/sid (32bit)
> 
> [3] sed (GNU sed) 4.4.2 on CentOS 7 (64bit)
(I assume you meant sed-4.2.2 on CentOS)

Given that sed-4.2.2 is almost six years old,
and the fixed version (sed-4.4) is also already a year and a half old,
I'm inclined to close this bug as "wontfix".

CentOS-7 (and by proxy, RHEL-7) are likely the only officially supported
distributions that still use the old sed version 4.2.2.

Eric, Jim - what do you think?

regards,
  - assaf




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: s with i modifier seems to work incorrectly
Resent-From: Saito Takaaki <tails.saito@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Wed, 05 Sep 2018 01:04:01 +0000
Resent-Message-ID: <handler.32592.B32592.153610939819337@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: 32592@debbugs.gnu.org
Cc: bill-auger@peers.community, assafgordon@gmail.com, eblake@redhat.com, jim@meyering.net
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153610939819337
          (code B ref 32592); Wed, 05 Sep 2018 01:04:01 +0000
Received: (at 32592) by debbugs.gnu.org; 5 Sep 2018 01:03:18 +0000
Received: from localhost ([127.0.0.1]:46165 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxME2-00051p-4v
	for submit@debbugs.gnu.org; Tue, 04 Sep 2018 21:03:18 -0400
Received: from mail-io0-f177.google.com ([209.85.223.177]:43368)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <tails.saito@gmail.com>) id 1fxME0-00051a-CJ
 for 32592@debbugs.gnu.org; Tue, 04 Sep 2018 21:03:16 -0400
Received: by mail-io0-f177.google.com with SMTP id y10-v6so4607679ioa.10
 for <32592@debbugs.gnu.org>; Tue, 04 Sep 2018 18:03:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=jS8LA/zcauF/cBTwUNWsyyjRWDu39DXZr5Fhu0JM7+Q=;
 b=jTXzwivOKBSHQz6q8gdGg5QU/wOPgre1MQUxX1bFm3zpCZ9bppGVZ+XmToWgRPEAau
 9X25B3v7ZfBR4h/ohOiqjRRRgDtvW20d9aNbeyQW0bEg1ytbHc6sAG6HCvNi0d1qFHPJ
 zogRSTENRVAAyqAdHGz9lWvbOgBAt/uaQOxiLJwtCYV1del34Qs0GR0ZOgsxz/OdhHKl
 azASZOjDYZ60de8UVn0EHe1koURNsV7zobvoYWLz406kK6GTGUzAbfq86BrIvF9UFMwF
 39fpZNIRmc1lwVbpqD508cU08DXNRFvHZnZ5o/6S0xAtfVlUpJWvt7xG/Xa1mUhkKxGe
 kTCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=jS8LA/zcauF/cBTwUNWsyyjRWDu39DXZr5Fhu0JM7+Q=;
 b=O3ocazb54qk4gRJh06KR0dOfuPPFRvKYnAuiwiHTC4n59Fwo/oJCuRTNvx2hu9AKBf
 TpjgnGJ3CAD8Ht6G0EV0IDH2WwhFe0UQERO4w6OuBPPOy7VIKOYDVM2C9BAple9x8Iji
 9fCFAynWCiIM1Uig9Qbu9/3uj/s0ZJbLlOyRVv7gIkd/9fZlmArnIdn8E4axKQArg35y
 CyUZz8LY6lOeKAIHhowL2I+6RdTmLWbAJmSiMOp49gh4KwdDodK+Zqpo8z4zHSYiEpxB
 SmpXCrLLUTgcPtAsu4j64QOSGiyMKjXtS2Li5b80MNSrTyOODwrkTRgOaGIWF8sbe5F0
 FRwQ==
X-Gm-Message-State: APzg51BjQ/gsRAoCQQfn8TdtT5/ZJqxWbhxjQivVceUVNIFKWlG4UeoM
 P8gvMe+0/Ppa7zCJf3lzlyMculJmfxDlxYqRrsv0cU4CTw==
X-Google-Smtp-Source: ANB0Vda6JmFku0yBmaoFfBfCxNCvMKls1Q6qqEgmOIMFI59CxSO6WYkLsKbfo97w0sHiS40nII/oNTw9zBhewe2sY8s=
X-Received: by 2002:a6b:e15:: with SMTP id
 21-v6mr24179652ioo.149.1536109390667; 
 Tue, 04 Sep 2018 18:03:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
In-Reply-To: <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
From: Saito Takaaki <tails.saito@gmail.com>
Date: Wed, 5 Sep 2018 10:02:58 +0900
Message-ID: <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello assaf, thank you very much for the detailed explanation.

> > [3] sed (GNU sed) 4.4.2 on CentOS 7 (64bit)
> (I assume you meant sed-4.2.2 on CentOS)

You are right.  I'm sorry for my critical mistake.

> I don't have access to 32bit cygwin, but on 64bit cygwin (windows 7)
> with sed-4.4-1 I do not experience the bug - can you confirm it still
> happens even in sed-4.4 ?

Here is the result of the command in question and the first three lines
of sed --version on 32bit cygwin on Windows 10.
--------
$ echo abcdefghijkl | sed 'h;G;s/\(a.*\).*\1/(\1)/i'
(abcdefg)hijkl
$ sed --version  | head -3
sed (GNU sed) 4.4
Packaged by Cygwin (4.4-1)
Copyright (C) 2017 Free Software Foundation, Inc.
--------

Additionally, I tried the command with sed 4.4 on ideone and found
it does not happen.
https://ideone.com/pYoF5y

However, a friend showed me a more complex case which is
problematic even with sed 4.4 on ideone.  The last two lines of the
output (for the identical input lines) are  particularly interesting.
https://ideone.com/Sq5xJX

I hope this helps even a bit.
Thank you very much.

-- 
Takaaki Saito




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module (was: s with i modifier seems to work incorrectly)
Resent-From: Assaf Gordon <assafgordon@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Wed, 05 Sep 2018 07:33:01 +0000
Resent-Message-ID: <handler.32592.B32592.153613275823316@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Saito Takaaki <tails.saito@gmail.com>, 32592@debbugs.gnu.org, bug-gnulib@gnu.org
Cc: bill-auger <bill-auger@peers.community>, Eric Blake <eblake@redhat.com>, Jim Meyering <jim@meyering.net>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153613275823316
          (code B ref 32592); Wed, 05 Sep 2018 07:33:01 +0000
Received: (at 32592) by debbugs.gnu.org; 5 Sep 2018 07:32:38 +0000
Received: from localhost ([127.0.0.1]:46313 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxSIn-00063y-Ic
	for submit@debbugs.gnu.org; Wed, 05 Sep 2018 03:32:37 -0400
Received: from mail-it0-f54.google.com ([209.85.214.54]:37052)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <assafgordon@gmail.com>) id 1fxSIl-00063m-Oa
 for 32592@debbugs.gnu.org; Wed, 05 Sep 2018 03:32:36 -0400
Received: by mail-it0-f54.google.com with SMTP id h20-v6so8265729itf.2
 for <32592@debbugs.gnu.org>; Wed, 05 Sep 2018 00:32:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:to:references:from:cc:message-id:date:user-agent
 :mime-version:in-reply-to:content-language:content-transfer-encoding;
 bh=vHjG5BGsbujllVSmhfLehlmtUjbry3Za7IgGrL3bCNk=;
 b=LqL9Ng9GBUqG0ExQNMbb39SiWGoxq5r4B7kdsoEMvULPU9fUWJgRyZrZmnxqxj8qrB
 8wRYUKEHxf9TTVjnjGjKA9YiwIaf5yuCBtCRaMGNbnHUcwE+ZpBSxOPZD5QnS0Xua5fS
 V4g/ejzHXNXBKppQlewXGwRNVOEVRlAVSfvnrK5CBFbM+KX8sMEtIC9p/k6Ya7p+olxD
 Prbr8oao6t6EZ9eYeHF9dkyn4DrlbIe/IBy4V7kfWUEPrYZm4ZhdJJh6q6RvmgIxT+9N
 EGFTxitum9IS8cOf7B66R6P3yxFed+iOcnZEc4lWcawfBAvEleg7r4x6nPeKgsW1LJMC
 VOjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:cc:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=vHjG5BGsbujllVSmhfLehlmtUjbry3Za7IgGrL3bCNk=;
 b=kkFYJwvUySx3B9t7YgsEyu68Y8/28ZPPRz5maMIvPjBgmUMvclQX4mJHSDBZsFQEl8
 fsHQQ53rX32tQ7j49da3Npoc5vkyEH+Z056tD9EHXfWpTsm7RrMTkF3hKDzpdpE8RrEk
 dNDL3FXlVufDQ3KD48y24LOPf8TSvMIhGLt8sE2FokFIGCt2oMy/+PTrjZ31wQTuQajV
 LD2z/ZMYgyQWnihGJ95h4JaHfwosaGthV8nPynmp4w7LyMKwiuKk2exDyj1jsCk/6RwU
 sojzwIhKMEtMHBkBzduLDtzR01hwxplqiMx9iqU5snDKKAmCqX28F0dh6EG+vTPhCV0u
 UvzA==
X-Gm-Message-State: APzg51BIdUoUOVl8onpEdi5+tAe6RdPlDM2Ibbn8US702lOK9feAJ0C6
 PZOhszIDZEbMDxCVRQNV6HA=
X-Google-Smtp-Source: ANB0VdYepZGO2Lgaj0KzCjCHbFFYhcxCYhJAV37p9RFjPIBQGHYuC8lP1sE7opv80RMQuDKfjjqWtg==
X-Received: by 2002:a02:59cc:: with SMTP id
 v73-v6mr25916183jad.5.1536132750120; 
 Wed, 05 Sep 2018 00:32:30 -0700 (PDT)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
 by smtp.googlemail.com with ESMTPSA id
 x30-v6sm8629306ita.2.2018.09.05.00.32.28
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 05 Sep 2018 00:32:28 -0700 (PDT)
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
From: Assaf Gordon <assafgordon@gmail.com>
Message-ID: <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
Date: Wed, 5 Sep 2018 01:32:27 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

(adding gnulib)

On 04/09/18 07:02 PM, Saito Takaaki wrote:
[... discussing a sed bug ...]
> However, a friend showed me a more complex case which is
> problematic even with sed 4.4 on ideone.  The last two lines of the
> output (for the identical input lines) are  particularly interesting.
> https://ideone.com/Sq5xJX
> 
> I hope this helps even a bit.

Thank you for persisting with this bug.

The linked snippet you provided exposed a heap-use-after-free bug
in gnulib's regex module (possibly in glibc as well).

A simple way to reproduce with latest sed:

   cd sed
   ./bootstrap
   ./configure --with-included-regex
   make
   echo 'abcdefghijklmns!!!!!!!!!!' \
      | valgrind ./sed/sed -E 'h;G;s/((.).+(.))(.*\n.*\1)/\2-\3\4/i'

Results in a use-after-free relating to the back-references (valgrind
output below). There's some interplay with the input length - if the 
exclamation marks are removed, the bug is not triggered.
The bug does not trigger without the case-insensitive flag (s///i).

This is easier to trigger with gnulib (hence --with-included-regex)
but happens also with glibc's regex module.

This could also mean that the bug you previously reported and I surmised
was fixed is not fixed at all - could be that it was just much harder to
trigger with later sed versions.

I'm still learning the code so don't have a fix yet.

comments welcomed,
  - assaf

=========================

==13408== Memcheck, a memory error detector
==13408== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==13408== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for 
copyright info
==13408== Command: ./sed/sed -E h;G;s/((.).+(.))(.*\\n.*\\1)/\\2-\\3\\4/i
==13408==
==13408== Invalid read of size 1
==13408==    at 0x123857: get_subexp (regexec.c:2747)
==13408==    by 0x123857: transit_state_bkref.isra.32 (regexec.c:2561)
==13408==    by 0x123BDC: merge_state_with_log (regexec.c:2345)
==13408==    by 0x1248B8: check_matching (regexec.c:1135)
==13408==    by 0x1248B8: re_search_internal (regexec.c:802)
==13408==    by 0x12921E: re_search_stub (regexec.c:424)
==13408==    by 0x12995F: rpl_re_search (regexec.c:289)
==13408==    by 0x111C84: match_regex (regexp.c:358)
==13408==    by 0x110205: do_subst (execute.c:1015)
==13408==    by 0x110205: execute_program (execute.c:1536)
==13408==    by 0x11145A: process_files (execute.c:1673)
==13408==    by 0x10B23B: main (sed.c:360)
==13408==  Address 0x56096d0 is 16 bytes inside a block of size 42 free'd
==13408==    at 0x4C2DDCF: realloc (vg_replace_malloc.c:785)
==13408==    by 0x11BF43: re_string_realloc_buffers (regex_internal.c:167)
==13408==    by 0x11CA8C: extend_buffers (regexec.c:4057)
==13408==    by 0x11CBBA: clean_state_log_if_needed (regexec.c:1697)
==13408==    by 0x123967: get_subexp (regexec.c:2778)
==13408==    by 0x123967: transit_state_bkref.isra.32 (regexec.c:2561)
==13408==    by 0x123BDC: merge_state_with_log (regexec.c:2345)
==13408==    by 0x1248B8: check_matching (regexec.c:1135)
==13408==    by 0x1248B8: re_search_internal (regexec.c:802)
==13408==    by 0x12921E: re_search_stub (regexec.c:424)
==13408==    by 0x12995F: rpl_re_search (regexec.c:289)
==13408==    by 0x111C84: match_regex (regexp.c:358)
==13408==    by 0x110205: do_subst (execute.c:1015)
==13408==    by 0x110205: execute_program (execute.c:1536)
==13408==    by 0x11145A: process_files (execute.c:1673)
==13408==  Block was alloc'd at
==13408==    at 0x4C2DDCF: realloc (vg_replace_malloc.c:785)
==13408==    by 0x11BF43: re_string_realloc_buffers (regex_internal.c:167)
==13408==    by 0x11CA8C: extend_buffers (regexec.c:4057)
==13408==    by 0x124A1A: check_matching (regexec.c:1125)
==13408==    by 0x124A1A: re_search_internal (regexec.c:802)
==13408==    by 0x12921E: re_search_stub (regexec.c:424)
==13408==    by 0x12995F: rpl_re_search (regexec.c:289)
==13408==    by 0x111C84: match_regex (regexp.c:358)
==13408==    by 0x110205: do_subst (execute.c:1015)
==13408==    by 0x110205: execute_program (execute.c:1536)
==13408==    by 0x11145A: process_files (execute.c:1673)
==13408==    by 0x10B23B: main (sed.c:360)
==13408==
==13408== Invalid read of size 1
==13408==    at 0x12385C: get_subexp (regexec.c:2747)
==13408==    by 0x12385C: transit_state_bkref.isra.32 (regexec.c:2561)
==13408==    by 0x123BDC: merge_state_with_log (regexec.c:2345)
==13408==    by 0x1248B8: check_matching (regexec.c:1135)
==13408==    by 0x1248B8: re_search_internal (regexec.c:802)
==13408==    by 0x12921E: re_search_stub (regexec.c:424)
==13408==    by 0x12995F: rpl_re_search (regexec.c:289)
==13408==    by 0x111C84: match_regex (regexp.c:358)
==13408==    by 0x110205: do_subst (execute.c:1015)
==13408==    by 0x110205: execute_program (execute.c:1536)
==13408==    by 0x11145A: process_files (execute.c:1673)
==13408==    by 0x10B23B: main (sed.c:360)
==13408==  Address 0x56096ea is 0 bytes after a block of size 42 free'd
==13408==    at 0x4C2DDCF: realloc (vg_replace_malloc.c:785)
==13408==    by 0x11BF43: re_string_realloc_buffers (regex_internal.c:167)
==13408==    by 0x11CA8C: extend_buffers (regexec.c:4057)
==13408==    by 0x11CBBA: clean_state_log_if_needed (regexec.c:1697)
==13408==    by 0x123967: get_subexp (regexec.c:2778)
==13408==    by 0x123967: transit_state_bkref.isra.32 (regexec.c:2561)
==13408==    by 0x123BDC: merge_state_with_log (regexec.c:2345)
==13408==    by 0x1248B8: check_matching (regexec.c:1135)
==13408==    by 0x1248B8: re_search_internal (regexec.c:802)
==13408==    by 0x12921E: re_search_stub (regexec.c:424)
==13408==    by 0x12995F: rpl_re_search (regexec.c:289)
==13408==    by 0x111C84: match_regex (regexp.c:358)
==13408==    by 0x110205: do_subst (execute.c:1015)
==13408==    by 0x110205: execute_program (execute.c:1536)
==13408==    by 0x11145A: process_files (execute.c:1673)
==13408==  Block was alloc'd at
==13408==    at 0x4C2DDCF: realloc (vg_replace_malloc.c:785)
==13408==    by 0x11BF43: re_string_realloc_buffers (regex_internal.c:167)
==13408==    by 0x11CA8C: extend_buffers (regexec.c:4057)
==13408==    by 0x124A1A: check_matching (regexec.c:1125)
==13408==    by 0x124A1A: re_search_internal (regexec.c:802)
==13408==    by 0x12921E: re_search_stub (regexec.c:424)
==13408==    by 0x12995F: rpl_re_search (regexec.c:289)
==13408==    by 0x111C84: match_regex (regexp.c:358)
==13408==    by 0x110205: do_subst (execute.c:1015)
==13408==    by 0x110205: execute_program (execute.c:1536)
==13408==    by 0x11145A: process_files (execute.c:1673)
==13408==    by 0x10B23B: main (sed.c:360)
==13408==
a-!!!!!!!!!!
abcdefghijklmns!!!!!!!!!!
==13408==
==13408== HEAP SUMMARY:
==13408==     in use at exit: 1,840 bytes in 5 blocks
==13408==   total heap usage: 1,131 allocs, 1,126 frees, 205,127 bytes 
allocated
==13408==
==13408== LEAK SUMMARY:
==13408==    definitely lost: 0 bytes in 0 blocks
==13408==    indirectly lost: 0 bytes in 0 blocks
==13408==      possibly lost: 0 bytes in 0 blocks
==13408==    still reachable: 1,840 bytes in 5 blocks
==13408==         suppressed: 0 bytes in 0 blocks
==13408== Rerun with --leak-check=full to see details of leaked memory
==13408==
==13408== For counts of detected and suppressed errors, rerun with: -v
==13408== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module (was: s with i modifier seems to work incorrectly)
Resent-From: Jim Meyering <jim@meyering.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Wed, 05 Sep 2018 13:24:01 +0000
Resent-Message-ID: <handler.32592.B32592.153615382215502@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Assaf Gordon <assafgordon@gmail.com>
Cc: bill-auger@peers.community, Eric Blake <eblake@redhat.com>, 32592@debbugs.gnu.org, tails.saito@gmail.com, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153615382215502
          (code B ref 32592); Wed, 05 Sep 2018 13:24:01 +0000
Received: (at 32592) by debbugs.gnu.org; 5 Sep 2018 13:23:42 +0000
Received: from localhost ([127.0.0.1]:46513 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxXmX-00041x-SQ
	for submit@debbugs.gnu.org; Wed, 05 Sep 2018 09:23:42 -0400
Received: from mail-wm0-f65.google.com ([74.125.82.65]:56050)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <meyering@gmail.com>) id 1fxXmV-00041i-NK
 for 32592@debbugs.gnu.org; Wed, 05 Sep 2018 09:23:40 -0400
Received: by mail-wm0-f65.google.com with SMTP id f21-v6so7968342wmc.5
 for <32592@debbugs.gnu.org>; Wed, 05 Sep 2018 06:23:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=KCK8MkNXCrOqwNo27PhvkJlPA3xY2V20nakh34RpIqY=;
 b=DCx71LnWRZz3XHl6izf+fyZpQ1Gx4OSoKc4pQsM0+XK4N9PSuHGuoP9t6dD0ZGT7Bm
 gn5Eii4o4dV2AVHpVkGMO8nZHzvwiEqg/NQV36bosEbJ7ImhE0UhvLSPxxRONVRx8jLb
 oDjoQj9isks2Ipbv96MsdM2AujO+REsBlALOb/1uEKhpGYwRNvn+U9VOCntLPQiP0ZHF
 AqzHkc2s4DjJFzDQcBSD1znHro+ofoSizaWWpz9SMaeb0XizgwJlhik6ZrT1ENdOQc9/
 10sC1ED0UT5MXHxa/mOixA2C9vWDdqZZkmBBQlNUhfC84mTuWm7G9SBWci/xlTK+MAQa
 HXzg==
X-Gm-Message-State: APzg51DM1izQPWwz5WM+1D+A316oeb2Z5845g3/oiwjUR1yVTY4bzZhN
 I6QCdKdbW7Wya7OQ4mA2z+Ji5g2RyNUgzP5rrjk=
X-Google-Smtp-Source: ANB0VdZ8vGemEw0v+j/myrq1/jsHMW0PKjNsBj81VelBzFomBKaoXIiDULRAEO4d2mEETnvrRicjnxXLSeBkpPG6yvA=
X-Received: by 2002:a1c:aa0c:: with SMTP id
 t12-v6mr212230wme.109.1536153813916; 
 Wed, 05 Sep 2018 06:23:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
In-Reply-To: <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
From: Jim Meyering <jim@meyering.net>
Date: Wed, 5 Sep 2018 06:23:21 -0700
Message-ID: <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.4 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.6 (/)

On Wed, Sep 5, 2018 at 12:32 AM Assaf Gordon <assafgordon@gmail.com> wrote:
>
> (adding gnulib)
>
> On 04/09/18 07:02 PM, Saito Takaaki wrote:
> [... discussing a sed bug ...]
> > However, a friend showed me a more complex case which is
> > problematic even with sed 4.4 on ideone.  The last two lines of the
> > output (for the identical input lines) are  particularly interesting.
> > https://ideone.com/Sq5xJX
> >
> > I hope this helps even a bit.
>
> Thank you for persisting with this bug.
>
> The linked snippet you provided exposed a heap-use-after-free bug
> in gnulib's regex module (possibly in glibc as well).
>
> A simple way to reproduce with latest sed:
>
>    cd sed
>    ./bootstrap
>    ./configure --with-included-regex
>    make
>    echo 'abcdefghijklmns!!!!!!!!!!' \
>       | valgrind ./sed/sed -E 'h;G;s/((.).+(.))(.*\n.*\1)/\2-\3\4/i'
>
> Results in a use-after-free relating to the back-references (valgrind
> output below). There's some interplay with the input length - if the
> exclamation marks are removed, the bug is not triggered.
> The bug does not trigger without the case-insensitive flag (s///i).
>
> This is easier to trigger with gnulib (hence --with-included-regex)
> but happens also with glibc's regex module.
>
> This could also mean that the bug you previously reported and I surmised
> was fixed is not fixed at all - could be that it was just much harder to
> trigger with later sed versions.
>
> I'm still learning the code so don't have a fix yet.

Wow, another!?! Thanks for pursuing!




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Assaf Gordon <assafgordon@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 00:05:02 +0000
Resent-Message-ID: <handler.32592.B32592.153619225419277@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Jim Meyering <jim@meyering.net>
Cc: bill-auger@peers.community, Eric Blake <eblake@redhat.com>, 32592@debbugs.gnu.org, tails.saito@gmail.com, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153619225419277
          (code B ref 32592); Thu, 06 Sep 2018 00:05:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 00:04:14 +0000
Received: from localhost ([127.0.0.1]:47515 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxhmP-00050r-RT
	for submit@debbugs.gnu.org; Wed, 05 Sep 2018 20:04:14 -0400
Received: from mail-pf1-f182.google.com ([209.85.210.182]:34564)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <assafgordon@gmail.com>) id 1fxhmO-00050e-6A
 for 32592@debbugs.gnu.org; Wed, 05 Sep 2018 20:04:12 -0400
Received: by mail-pf1-f182.google.com with SMTP id k19-v6so4306453pfi.1
 for <32592@debbugs.gnu.org>; Wed, 05 Sep 2018 17:04:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:to:cc:references:from:message-id:date:user-agent
 :mime-version:in-reply-to:content-language;
 bh=PSMpAQZRH7E7S08VVtib0lOFI9CNWJi3ldMYkLdVaQ0=;
 b=ND3GkQ+phmiGwWAOJdtaUE1Z4MqiMd1HOLSy8TpZfXJZzVBBewvUGdVM3mlY27nsxE
 rJsD0VldjHQNSBvmXQ3JmtMxLQG+r+iKMB7AmvZlJ16OKs5n1gT2JZXvKXnAFfS7y7E4
 6M7TOgS26/54CNSuZQqE+xzxZop4NMN9HXJrVComwrCBE9awca6wicmgXtNF6COqiGL/
 ft9MKHn+M1hLK8XYHsQkb+ZLNfBpeU9475xTJ8l8ejYgkdNd95Uj7YBiUplCZlgCTlWA
 r/uHeRqouc+RcqItuDGc+drVMmjA63Xzs1so3CTKRCv+jZddmJfwKUIkNwzNVPV7TK+B
 fprQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:cc:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language;
 bh=PSMpAQZRH7E7S08VVtib0lOFI9CNWJi3ldMYkLdVaQ0=;
 b=mFTdeMtDwcTKn+6sl1LLTYNkVUNkJjCMWjNKhZ3gAu+muE9s2cRIXKZJW5u/G0pz0K
 nfBf1rZWgyyw1pcHw76OcaNvOdGHYFJ7ltIz8eL7LgOw5L+fNy1GbYfjBMsu8EF7ufre
 +dVIXbWZNMXAQNzXbk9E3KB8kkL6/zoE0xM5xNFSi3PhcytN9eZqSKBr7HQRF0DXrcDL
 30R8hIwKFBh/x+qg4MAWteeGwTaPL/wpBaYVBqc0PsztFkt1paOfjS9ZLID8H7dGZ9U4
 nmtbvdOUvhV3wt4KdXuYQD+x1TOGkbxyxo/Q4VnshlN1snqFJxkrxP/08c5AY8bs+Kes
 fczg==
X-Gm-Message-State: APzg51DqDQd6CyiE4tkGuOi/Sm5o4mQniDgPCvU75XvwCcwNav9dsNLF
 aPn/CnCRjwPm2XXflNEOzX0=
X-Google-Smtp-Source: ANB0VdYp65+QIzVMynChDj7HA+kzoygkK/JU1/esWE8Q0kZjM4JgygeshB0aK1bC0OBgOz2TUqLuyg==
X-Received: by 2002:a62:ed5:: with SMTP id 82-v6mr175259pfo.198.1536192246467; 
 Wed, 05 Sep 2018 17:04:06 -0700 (PDT)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
 by smtp.googlemail.com with ESMTPSA id
 d22-v6sm9499520pfm.48.2018.09.05.17.04.04
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 05 Sep 2018 17:04:05 -0700 (PDT)
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
From: Assaf Gordon <assafgordon@gmail.com>
Message-ID: <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
Date: Wed, 5 Sep 2018 18:04:03 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
Content-Type: multipart/mixed; boundary="------------8FFAA7096F41F92D301D4204"
Content-Language: en-US
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is a multi-part message in MIME format.
--------------8FFAA7096F41F92D301D4204
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hello,

> On Wed, Sep 5, 2018 at 12:32 AM Assaf Gordon <assafgordon@gmail.com> wrote: >>>> On 04/09/18 07:02 PM, Saito Takaaki wrote:>>> 
https://ideone.com/Sq5xJX>>>>>> I hope this helps even a bit.>>>> The 
linked snippet you provided exposed a heap-use-after-free bug
>> in gnulib's regex module (possibly in glibc as well).

Please find the attached patch as a suggested fix.

Comments and review very welcomed,
  - assaf

--------------8FFAA7096F41F92D301D4204
Content-Type: text/x-patch;
 name="0001-regex-fix-heap-use-after-free-error.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0001-regex-fix-heap-use-after-free-error.patch"

>From d58391ad0377f0fde07e8f555583bff8125772d3 Mon Sep 17 00:00:00 2001
From: Assaf Gordon <assafgordon@gmail.com>
Date: Wed, 5 Sep 2018 17:40:28 -0600
Subject: [PATCH] regex: fix heap-use-after-free error

Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Calling get_subexp() -> get_subexp_sub() -> clean_state_log_if_needed() may
call extend_buffers() which reallocates the re_string_t's internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* regexec.c (get_subexp): Update 'buf' after calling get_subexp_sub.
---
 ChangeLog     | 12 ++++++++++++
 lib/regexec.c |  1 +
 2 files changed, 13 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 23689545a..3cafe2177 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2018-09-05  Assaf Gordon <assafgordon@gmail.com>
+
+	regex: fix heap-use-after-free error
+	Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+	https://debbugs.gnu.org/32592
+	Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+	call extend_buffers which reallocates the re_string_t internal buffer.
+	Local variable 'buf' was not updated in such case, resulting in
+	use-after-free.
+	* regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub.
+	Additionally, check for allocation errors and bail out if needed.
+
 2018-09-05  Eric Blake  <eblake@redhat.com>
 
 	doc: mention environ pitfall
diff --git a/lib/regexec.c b/lib/regexec.c
index 73644c234..61a4ea26d 100644
--- a/lib/regexec.c
+++ b/lib/regexec.c
@@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	    return REG_ESPACE;
 	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
 				bkref_str_idx);
+	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
 	}
-- 
2.11.0


--------------8FFAA7096F41F92D301D4204--




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Assaf Gordon <assafgordon@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 01:09:02 +0000
Resent-Message-ID: <handler.32592.B32592.153619612625090@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Jim Meyering <jim@meyering.net>
Cc: bill-auger@peers.community, Eric Blake <eblake@redhat.com>, 32592@debbugs.gnu.org, tails.saito@gmail.com, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153619612625090
          (code B ref 32592); Thu, 06 Sep 2018 01:09:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 01:08:46 +0000
Received: from localhost ([127.0.0.1]:47526 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fximm-0006WU-3A
	for submit@debbugs.gnu.org; Wed, 05 Sep 2018 21:08:46 -0400
Received: from mail-it0-f43.google.com ([209.85.214.43]:36034)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <assafgordon@gmail.com>) id 1fximg-0006WC-8O
 for 32592@debbugs.gnu.org; Wed, 05 Sep 2018 21:08:39 -0400
Received: by mail-it0-f43.google.com with SMTP id u13-v6so12050190iti.1
 for <32592@debbugs.gnu.org>; Wed, 05 Sep 2018 18:08:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:from:to:cc:references:message-id:date:user-agent
 :mime-version:in-reply-to:content-language;
 bh=SbTDQWOXty0IjJKsqwV36dnf57SdBrTy6rknlMU4NS4=;
 b=awIi9Vy3baR4oSnrIdx79/V9XUJ556nlTd+DOAueufVt5tQakS416RjHGlxk1SpzND
 DZ7/FDJYy8lH9r2DrY/XAy88Vty66+EUhamAdimsMH814AALFIA7xjWAukqD8xJIxHfg
 UnG6h3Mdas8GdtFQgHZag1YGJRpLXkoT1+26LY9jt8vMxAYbF1v5yNEqcn7NVxYCRrus
 LlcSfMNglM8f9jbC+Qz3bIOSgMrvxJ8oB/TKD5W9insUXBHiE7gCdUXl8CB0+tLITTH0
 qDONXv/bxB7jAZ7j6jm7W+y64/vK3nz80fhGgSKGOHL2rETEg0yTQR+1hdm3TOcHdq5P
 AWtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:from:to:cc:references:message-id:date
 :user-agent:mime-version:in-reply-to:content-language;
 bh=SbTDQWOXty0IjJKsqwV36dnf57SdBrTy6rknlMU4NS4=;
 b=iC9VoXNmSD3PgVzM+KXeUvA8pn1YwalOsV8Yd3wI9n/O7KMScOyjfz+bvQSU8ALQ0G
 gTJEIGpulTKSRg5Sq/lWfDOP2HN/V3QlXQVGHLp+MMODxLcOmG4xiGLcRMxqTw2lq7ZY
 7dfcrwL8eto1dBD+YK1TUNPSTUGnXcQs4d5XIoNLfBLTVAEH/CwmkMfo0U8OEYB+yFVO
 YIBJCmoCpwY8Zsr9kQaoy1KuvXMxBYwSEMUM5xUMoS4tV2mwfekEmZiB1IcXb+gXhl71
 OaDFgUpw+Gk+JMsDGxLwaVeDwsQQ8cSAy5P9Z0wGoBwHzEpMRjL6YZqAZv/z07dmnRVg
 W2gw==
X-Gm-Message-State: APzg51DJAc7hfxmVPqoHqX7X008XiTdYSqGuQi7yL0Pd3L9ja8XfsdPW
 1xZCtb6RPGVha+Xelh/uS4E=
X-Google-Smtp-Source: ANB0VdZa2OSoMEHnROI4CPa1Gn+tT+PkcnpCkfMqnKr/Camm7HD//zvAGHK9nCnrnRJyfQvYhyVBVQ==
X-Received: by 2002:a24:5d0:: with SMTP id 199-v6mr824988itl.88.1536196107941; 
 Wed, 05 Sep 2018 18:08:27 -0700 (PDT)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
 by smtp.googlemail.com with ESMTPSA id
 g6-v6sm1285187iom.48.2018.09.05.18.08.25
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 05 Sep 2018 18:08:25 -0700 (PDT)
From: Assaf Gordon <assafgordon@gmail.com>
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
Message-ID: <5200884c-1a12-05d6-24bb-a78f2826bf81@gmail.com>
Date: Wed, 5 Sep 2018 19:08:24 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
Content-Type: multipart/mixed; boundary="------------3533D9D75011A8CC55CEF008"
Content-Language: en-US
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is a multi-part message in MIME format.
--------------3533D9D75011A8CC55CEF008
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hello,
Assuming the gnulib bugfix is valid (in my previous email),
I suggest adding the following test to sed (after updating gnulib).

comments welcomed,
  - assaf



--------------3533D9D75011A8CC55CEF008
Content-Type: text/x-patch;
 name="0001-sed-fix-heap-use-after-free-bug-in-s-command.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0001-sed-fix-heap-use-after-free-bug-in-s-command.patch"

>From bc2794c76cd4202df5172bdbe364a4006e6edbe6 Mon Sep 17 00:00:00 2001
From: Assaf Gordon <assafgordon@gmail.com>
Date: Wed, 5 Sep 2018 18:58:55 -0600
Subject: [PATCH] sed: fix heap-use-after-free bug in s/// command

sed would accesses freed memory when given specific backreferences
in 's' command. Reported by Saito Takaaki <tails.saito@gmail.com>
in https://debbugs.gnu.org/32592 .

This is a gnulib/glibc bug which can be triggered by sed.
If the bug is detected, it is recommended to rebuild sed with the built-in
regex engine (./configure --with-included-regex).

Example:

    echo 'abcdefghijk!!!!!!!!!!abcdefghijk!!!!!!!!!!' \
        | valgrind ./sed/sed -E 's/(.+).*\1//i'

* NEWS: Mention the fix.
* testsuite/bug32592.sh: Test for the bug.
* testsuite/local.mk (T): Add new test.
---
 NEWS                  |   6 +++
 testsuite/bug32592.sh | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++
 testsuite/local.mk    |   1 +
 3 files changed, 147 insertions(+)
 create mode 100755 testsuite/bug32592.sh

diff --git a/NEWS b/NEWS
index e25d26b..ecbba45 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,12 @@ GNU sed NEWS                                    -*- outline -*-
   sed no longer accesses invalid memory (heap overflow) with s/$//n regexes.
   [bug#32271, present since sed-4.3].
 
+  sed no longer accesses freed memory when given specific backreferences
+  in 's' command. This is a gnulib/glibc bug which can be triggered by sed.
+  If the bug is detected, it is recommended to rebuild sed with the built-in
+  regex engine (./configure --with-included-regex) [bug#32592, present at
+  least since sed-4.0.6].
+
 
 * Noteworthy changes in release 4.5 (2018-03-31) [stable]
 
diff --git a/testsuite/bug32592.sh b/testsuite/bug32592.sh
new file mode 100755
index 0000000..863768e
--- /dev/null
+++ b/testsuite/bug32592.sh
@@ -0,0 +1,140 @@
+#!/bin/sh
+# sed would access freed memory under certain uses.
+# Before sed-4.6, this would result in "Invalid read of size 1" and
+# "Address 0x56096d0 is 16 bytes inside a block of size 42 free'd"
+#
+# The root cause is a gnulib/glibc bug (not sed code).
+# If this test fail, it is recommended to build sed with internal
+# regex implementation (./configure --with-included-regex).
+
+# Copyright (C) 2018 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+## This warning will be shown on top in the test-suite.log file - hopefully
+## users/testers will see it and avoid submitting false-positive bugs.
+printf "%s\n" \
+   "" \
+   "=======================================================" \
+   "=======================================================" \
+   "" \
+   "  If this test failed (bug32592) you are likely using a buggy glibc." \
+   "  consider recompiling with './configure --with-internal-regex'" \
+   "" \
+   "========================================================" \
+   "========================================================" \
+   ""
+
+
+. "${srcdir=.}/testsuite/init.sh"; path_prepend_ ./sed
+print_ver_ sed
+
+require_valgrind_
+
+
+
+##
+## Test 1: minimal reproducer
+##
+
+printf 'abcdefghijk!!!!!!!!!!!!!!!abcdefghijk!!!!!!!!!!!!!!!' > in1 \
+  || framework_failure_
+printf 's/(.+).*\1//i' > prog1 || framework_failure_
+
+valgrind --quiet --error-exitcode=1 \
+  sed -E 's/(.+).*\1//i' in1 > out1 2> err1 || fail=1
+
+echo "valgrind report for 'test1':"
+echo "=================================="
+cat err1
+echo "=================================="
+
+# Work around a bug in CentOS 5.10's valgrind
+# FIXME: remove in 2018 or when CentOS 5 is no longer officially supported
+grep 'valgrind: .*Assertion.*failed' err-posix > /dev/null \
+  && skip_ 'you seem to have a buggy version of valgrind'
+
+compare /dev/null out1 || fail=1
+compare /dev/null err1 || fail=1
+
+
+
+
+##
+## Test 2: The original bug report
+##
+
+cat<<\EOF>prog2 || framework_failure_
+s/$/\nabcdefghijklmnopqrstuvwxyz/
+s/\(\(.\).\+\(.\)\)\(.*\n.*\1\)/\2-\3\4/i
+P
+d
+EOF
+
+cat<<\EOF>in2 || framework_failure_
+abcdefghijklmns!!!!!!!!!!!!!!!!!!!!!!!!!!
+abcdefghijklmns!!!!!!!!!!!!!!!!!!!!!!!!!
+abcdefghijklmns!!!!!!!!!!!!!!!!!!!!!!!!
+abcdefghijklmns!!!!!!!!!!!!!!!!!!!!!!!
+abcdefghijklmns!!!!!!!!!!!!!!!!!!!!!!
+abcdefghijklmns!!!!!!!!!!!!!!!!!!!!!!
+EOF
+
+cat<<\EOF>exp2 || framework_failure_
+a-ns!!!!!!!!!!!!!!!!!!!!!!!!!!
+a-ns!!!!!!!!!!!!!!!!!!!!!!!!!
+a-ns!!!!!!!!!!!!!!!!!!!!!!!!
+a-ns!!!!!!!!!!!!!!!!!!!!!!!
+a-ns!!!!!!!!!!!!!!!!!!!!!!
+a-ns!!!!!!!!!!!!!!!!!!!!!!
+EOF
+
+valgrind --quiet --error-exitcode=1 \
+  sed -f prog2 in2 > out2 2> err2 || fail=1
+
+echo "valgrind report for 'test2':"
+echo "=================================="
+cat err2
+echo "=================================="
+
+compare exp2 out2 || fail=1
+compare /dev/null err2 || fail=1
+
+
+##
+## Test 3: The original bug report
+## This bug was hard to trigger after 4.4, but still existed in 32bit.
+
+printf 'abcdefghijkl' > in3 || framework_failure_
+printf '(abcdefghijkl)' > exp3 || framework_failure_
+
+valgrind --quiet --error-exitcode=1 \
+  sed 'h;G;s/\(a.*\).*\1/(\1)/i' in3 > out3 2> err3 || fail=1
+
+echo "valgrind report for 'test3':"
+echo "=================================="
+cat err3
+echo "=================================="
+
+compare exp3 out3 || fail=1
+compare /dev/null err3 || fail=1
+
+
+# This warning will be shown on the summarized PASS/FAIL list of tests.
+if test -n "$fail" ; then
+  warn_ "If this test failed (bug32592) you are likely using a buggy glibc."
+  warn_ "consider recompiling with './configure --with-internal-regex'"
+fi
+
+Exit $fail
diff --git a/testsuite/local.mk b/testsuite/local.mk
index 6d0a74d..15db72d 100644
--- a/testsuite/local.mk
+++ b/testsuite/local.mk
@@ -46,6 +46,7 @@ T =					\
   testsuite/bug32082.sh		\
   testsuite/bug32271-1.sh		\
   testsuite/bug32271-2.sh		\
+  testsuite/bug32592.sh			\
   testsuite/cmd-l.sh			\
   testsuite/cmd-R.sh			\
   testsuite/colon-with-no-label.sh	\
-- 
2.11.0


--------------3533D9D75011A8CC55CEF008--




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Assaf Gordon <assafgordon@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 01:29:02 +0000
Resent-Message-ID: <handler.32592.B32592.153619730926850@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Jim Meyering <jim@meyering.net>
Cc: bill-auger@peers.community, Eric Blake <eblake@redhat.com>, 32592@debbugs.gnu.org, tails.saito@gmail.com, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153619730926850
          (code B ref 32592); Thu, 06 Sep 2018 01:29:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 01:28:29 +0000
Received: from localhost ([127.0.0.1]:47532 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxj5x-0006z0-9M
	for submit@debbugs.gnu.org; Wed, 05 Sep 2018 21:28:29 -0400
Received: from mail-io0-f182.google.com ([209.85.223.182]:46341)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <assafgordon@gmail.com>) id 1fxj5q-0006yf-KE
 for 32592@debbugs.gnu.org; Wed, 05 Sep 2018 21:28:23 -0400
Received: by mail-io0-f182.google.com with SMTP id y12-v6so7541598ioj.13
 for <32592@debbugs.gnu.org>; Wed, 05 Sep 2018 18:28:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:from:to:cc:references:message-id:date:user-agent
 :mime-version:in-reply-to:content-language;
 bh=a973eW0mAJvNs9GLzeoiaLJkhDD1Hzi95VPrQsFVl/k=;
 b=j5qUer0a/Y2JMslFh5jA16NJ8w6Q5oB7htWsn4aOFJHVl8j9tLpqNzyFUUMfj5hzYS
 cYCr7e/lmCWyPWqVeqfwN68pTUX7VH4d/UvqPbY2DEdrF9vmMj/e+x/KwkpcqSgJ6VRi
 mVqnYha+miEeTRN7SOp7EdFw9JUy80gc7XpSx8nXmfMHwl0cibw/umeabC8QeMKOKvN2
 wiosd1Hf6MYf4ofH1F3po2bmOQAEC82gAbvQVYPu+hI3QLH8TsiTPZbjyOXsqB2vexgQ
 mcZheezGylZylLlxUgKa3/QcEL7iIp2/HVamCxVBw/q96Rwi1aBZw9V5vpefFL84pRRj
 lOXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:from:to:cc:references:message-id:date
 :user-agent:mime-version:in-reply-to:content-language;
 bh=a973eW0mAJvNs9GLzeoiaLJkhDD1Hzi95VPrQsFVl/k=;
 b=mKKAPQr2uwRwJI6/3FnS1yDMbsnTD/tqb7/P0k3izGZCJY3FxgIRguoPbi93UtpJH+
 90ieq/qhxdb4F8Fw95zNIyzv9EEZs5Brzp3WAk4067LY/ckHnW8zJReZzm7U3sqk8gB8
 mA/Wh7WPKaiSb0np7CRU52yzQYH3bP7B7zJK/LtYIYMcmVPZFuKK8hI5wBjamr7mpTXH
 VG/+nwjoTmktwypRiJ2ah+QL6rYakc7haYwvFtY2iMIDMMLsM7a4XTgu6EMLk2SI+XWV
 qhNEiWEtUM3uE5YmBcSQobgLdCkmPFVmBhH7hBwIFwBdYWeNXdLSSoWNCGvIG05Z49B+
 nNbg==
X-Gm-Message-State: APzg51AWJ8HbG2zLR2IWy9LQs+T7hwl7JNceU4BbM2S7DtFBTYeKk/4x
 mroeGHcNbzGagd8ktgGtxeo=
X-Google-Smtp-Source: ANB0VdbiOzyqKdNNT+S6tjPS/oPKNZ5Jgpiu4qh0Rh5/SwSt4Rl6uYYF2eM58303rDG93fTw6FUIwg==
X-Received: by 2002:a6b:2cc1:: with SMTP id
 s184-v6mr280211ios.23.1536197297138; 
 Wed, 05 Sep 2018 18:28:17 -0700 (PDT)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
 by smtp.googlemail.com with ESMTPSA id
 q196-v6sm1399041iod.23.2018.09.05.18.28.14
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 05 Sep 2018 18:28:15 -0700 (PDT)
From: Assaf Gordon <assafgordon@gmail.com>
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
Message-ID: <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
Date: Wed, 5 Sep 2018 19:28:14 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
Content-Type: multipart/mixed; boundary="------------0E842711D5B4B216BC323901"
Content-Language: en-US
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is a multi-part message in MIME format.
--------------0E842711D5B4B216BC323901
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Bruno alerted me off-list:

On 05/09/18 07:19 PM, Bruno Haible wrote:
 > Is the ChangeLog entry up-to-date?
 >
 > +	* regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub.
 > +	Additionally, check for allocation errors and bail out if needed.
 >
 > I don't see a code change for
 > "check for allocation errors and bail out if needed".

Thanks!

I initially had a check for REG_NOERROR there, but removed it.

Attached an updated patch without the outdated comment.

-assaf



--------------0E842711D5B4B216BC323901
Content-Type: text/x-patch;
 name="0001-regex-fix-heap-use-after-free-error.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0001-regex-fix-heap-use-after-free-error.patch"

>From 3e6bc87d1a8dc6e22c6d60d06aef0b0b6cb03a49 Mon Sep 17 00:00:00 2001
From: Assaf Gordon <assafgordon@gmail.com>
Date: Wed, 5 Sep 2018 17:40:28 -0600
Subject: [PATCH] regex: fix heap-use-after-free error

Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Calling get_subexp() -> get_subexp_sub() -> clean_state_log_if_needed() may
call extend_buffers() which reallocates the re_string_t's internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* regexec.c (get_subexp): Update 'buf' after calling get_subexp_sub.
---
 ChangeLog     | 11 +++++++++++
 lib/regexec.c |  1 +
 2 files changed, 12 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 23689545a..e3c01c644 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-09-05  Assaf Gordon <assafgordon@gmail.com>
+
+	regex: fix heap-use-after-free error
+	Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+	https://debbugs.gnu.org/32592
+	Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+	call extend_buffers which reallocates the re_string_t internal buffer.
+	Local variable 'buf' was not updated in such case, resulting in
+	use-after-free.
+	* regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub.
+
 2018-09-05  Eric Blake  <eblake@redhat.com>
 
 	doc: mention environ pitfall
diff --git a/lib/regexec.c b/lib/regexec.c
index 73644c234..61a4ea26d 100644
--- a/lib/regexec.c
+++ b/lib/regexec.c
@@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	    return REG_ESPACE;
 	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
 				bkref_str_idx);
+	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
 	}
-- 
2.11.0


--------------0E842711D5B4B216BC323901--




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Jim Meyering <jim@meyering.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 04:34:02 +0000
Resent-Message-ID: <handler.32592.B32592.153620839919184@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Assaf Gordon <assafgordon@gmail.com>
Cc: bill-auger@peers.community, Eric Blake <eblake@redhat.com>, 32592@debbugs.gnu.org, tails.saito@gmail.com, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153620839919184
          (code B ref 32592); Thu, 06 Sep 2018 04:34:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 04:33:19 +0000
Received: from localhost ([127.0.0.1]:47576 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxlyo-0004zM-WB
	for submit@debbugs.gnu.org; Thu, 06 Sep 2018 00:33:19 -0400
Received: from mail-wm0-f46.google.com ([74.125.82.46]:38505)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <meyering@gmail.com>) id 1fxlym-0004z7-RF
 for 32592@debbugs.gnu.org; Thu, 06 Sep 2018 00:33:17 -0400
Received: by mail-wm0-f46.google.com with SMTP id t25-v6so9713780wmi.3
 for <32592@debbugs.gnu.org>; Wed, 05 Sep 2018 21:33:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=b26CIoFlUx5QEcBU5RQMdzWKuDfjF3+x6m05X1fzNjU=;
 b=HDioUmkC/shua+COPXtceplQW82g0/mxXRgYYMDemTQGv1pikBOVphuppOdJ6ShaJc
 zk+u/oynETAUZYYpslcWV/mvblNw/nHdNOkW9A9a2Uzn9gAWYPoeKXN2WsDVsL1e1PIn
 ksEAMgXru6VuAzA1thgRpEUPEyjis9K7SX2PEg/HPuh9nVlw8VIhRyGHY/1C9bof/7Io
 PsENkzPNPLKE/LgFtehrHUZZAOagg+d1eYEeItN/0nZLxR5aRsYQaUNPsjIf2Mo/ZoHA
 lslpKKWX/MhozrjJ/P/bBrg6jxh0YNAfovZFLmcERzIylFtF9kMcNCxQ9Q+tB+BORB2Q
 W9dQ==
X-Gm-Message-State: APzg51BP/ew/XbcQy/wgI70b7r43FPiyXHPhToccKvp1U8DgHRFqooTN
 Prm8cbI5wNf5tLYt6rF4j0ZQnva6qJLj2qQClIk=
X-Google-Smtp-Source: ANB0Vda+EP2Ql+tnQPSXs//j1w7HArztUj2J0ZbIYLe+bNf/LhJ1mWswJdEaKfxYanOSUbZHy0MgQJ6OFIrXO8MdEGc=
X-Received: by 2002:a1c:1943:: with SMTP id 64-v6mr805328wmz.89.1536208390342; 
 Wed, 05 Sep 2018 21:33:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
 <5200884c-1a12-05d6-24bb-a78f2826bf81@gmail.com>
In-Reply-To: <5200884c-1a12-05d6-24bb-a78f2826bf81@gmail.com>
From: Jim Meyering <jim@meyering.net>
Date: Wed, 5 Sep 2018 21:32:58 -0700
Message-ID: <CA+8g5KEQo_5-N-omCnMbCvWVcBwvv=6Desrv3NvjZjM+fCkWdw@mail.gmail.com>
Content-Type: multipart/mixed; boundary="000000000000687ad805752c6377"
X-Spam-Score: 0.4 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.6 (/)

--000000000000687ad805752c6377
Content-Type: text/plain; charset="UTF-8"

On Wed, Sep 5, 2018 at 6:08 PM Assaf Gordon <assafgordon@gmail.com> wrote:
> Assuming the gnulib bugfix is valid (in my previous email),
> I suggest adding the following test to sed (after updating gnulib).

Thank you, Assaf.
Only tiny suggestions:

--000000000000687ad805752c6377
Content-Type: application/octet-stream; name="sed-test-tweak.diff"
Content-Disposition: attachment; filename="sed-test-tweak.diff"
Content-Transfer-Encoding: base64
Content-ID: <f_jlq2s26r0>
X-Attachment-Id: f_jlq2s26r0

ZGlmZiAtLWdpdCBhL3Rlc3RzdWl0ZS9idWczMjU5Mi5zaCBiL3Rlc3RzdWl0ZS9idWczMjU5Mi5z
aAppbmRleCA4NjM3NjhlLi5lM2I2NDBkIDEwMDc1NQotLS0gYS90ZXN0c3VpdGUvYnVnMzI1OTIu
c2gKKysrIGIvdGVzdHN1aXRlL2J1ZzMyNTkyLnNoCkBAIC0xLDExICsxLDExIEBACiAjIS9iaW4v
c2gKLSMgc2VkIHdvdWxkIGFjY2VzcyBmcmVlZCBtZW1vcnkgdW5kZXIgY2VydGFpbiB1c2VzLgor
IyBzZWQgY291bGQgYWNjZXNzIGZyZWVkIG1lbW9yeS4KICMgQmVmb3JlIHNlZC00LjYsIHRoaXMg
d291bGQgcmVzdWx0IGluICJJbnZhbGlkIHJlYWQgb2Ygc2l6ZSAxIiBhbmQKICMgIkFkZHJlc3Mg
MHg1NjA5NmQwIGlzIDE2IGJ5dGVzIGluc2lkZSBhIGJsb2NrIG9mIHNpemUgNDIgZnJlZSdkIgog
IwogIyBUaGUgcm9vdCBjYXVzZSBpcyBhIGdudWxpYi9nbGliYyBidWcgKG5vdCBzZWQgY29kZSku
Ci0jIElmIHRoaXMgdGVzdCBmYWlsLCBpdCBpcyByZWNvbW1lbmRlZCB0byBidWlsZCBzZWQgd2l0
aCBpbnRlcm5hbAotIyByZWdleCBpbXBsZW1lbnRhdGlvbiAoLi9jb25maWd1cmUgLS13aXRoLWlu
Y2x1ZGVkLXJlZ2V4KS4KKyMgSWYgdGhpcyB0ZXN0IGZhaWxzLCBlaXRoZXIgdXBncmFkZSB0byBh
IGZpeGVkIGdsaWJjIG9yIGJ1aWxkIHNlZCB3aXRoCisjIGl0cyBpbmNsdWRlZCByZWdleCBpbXBs
ZW1lbnRhdGlvbiAoLi9jb25maWd1cmUgLS13aXRoLWluY2x1ZGVkLXJlZ2V4KS4KCiAjIENvcHly
aWdodCAoQykgMjAxOCBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb24sIEluYy4KCg==
--000000000000687ad805752c6377--




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Jim Meyering <jim@meyering.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 04:47:02 +0000
Resent-Message-ID: <handler.32592.B32592.153620917820440@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Assaf Gordon <assafgordon@gmail.com>
Cc: bill-auger@peers.community, Eric Blake <eblake@redhat.com>, 32592@debbugs.gnu.org, tails.saito@gmail.com, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153620917820440
          (code B ref 32592); Thu, 06 Sep 2018 04:47:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 04:46:18 +0000
Received: from localhost ([127.0.0.1]:47581 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxmBO-0005Jc-8w
	for submit@debbugs.gnu.org; Thu, 06 Sep 2018 00:46:18 -0400
Received: from mail-wm0-f45.google.com ([74.125.82.45]:33214)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <meyering@gmail.com>) id 1fxmBL-0005JM-SB
 for 32592@debbugs.gnu.org; Thu, 06 Sep 2018 00:46:16 -0400
Received: by mail-wm0-f45.google.com with SMTP id r1-v6so13332878wmh.0
 for <32592@debbugs.gnu.org>; Wed, 05 Sep 2018 21:46:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=Tb6Y8ESQpcw/n6wPwa5IQy+5K/odrjWnUC6LlUrUMJA=;
 b=sP63z6cF3bhvQCXr1QvmQN7d+1Y9dv6knQBd8WwbsWKXvHKVOJ72BuZIUW5Ni5GnZB
 jfzjrrKmSfu4GnYVcmtdQNPGfwsulZSwtIzSX20yE1xpaQ2LOSdGbJll1m8r6secFaCc
 MzkaDjGgF2KPoeOUcc1b29issD5ynyyfSXxlLZcP6hJgp2hrqE7ApS6xF+OwvO27gAWm
 fCytingRsIDPKBj0WFidqTlO3+kI2XG0RWXzvoZdygzxWu0ZT/uI20hBsVDpEtyb8C1s
 UDgjXo+r7jBVVro0vZ9HYAjgZcwCzZ6sl/xbKGcFiGu9Pis01VqUbcP6pnZqerKUDwSx
 9u4w==
X-Gm-Message-State: APzg51CP1l8rtbArogmIZzJ4L/af5qJq+KxASildLwS8GIro/Ri8pWmR
 5RRiosYPy5D+1flMvx7cdQ+/caRGr55xc1MP/1o=
X-Google-Smtp-Source: ANB0VdbZ/8nR7gQBQJHr6WMUWsFm3CidpPa6KrCFu94mW0qW9AATZADUgAwoO/vJwYxM4COAUKFrJcAavXwpn1g6vMY=
X-Received: by 2002:a1c:7704:: with SMTP id t4-v6mr932641wmi.136.1536209170245; 
 Wed, 05 Sep 2018 21:46:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
 <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
In-Reply-To: <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
From: Jim Meyering <jim@meyering.net>
Date: Wed, 5 Sep 2018 21:45:57 -0700
Message-ID: <CA+8g5KFbdW=wc1X9fzWEbo0jkmjE3hfogMXvaUBgAxTbW7kyUw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.4 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.6 (/)

On Wed, Sep 5, 2018 at 6:28 PM Assaf Gordon <assafgordon@gmail.com> wrote:
>
> Bruno alerted me off-list:
>
> On 05/09/18 07:19 PM, Bruno Haible wrote:
>  > Is the ChangeLog entry up-to-date?
>  >
>  > +    * regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub.
>  > +    Additionally, check for allocation errors and bail out if needed.
>  >
>  > I don't see a code change for
>  > "check for allocation errors and bail out if needed".
>
> Thanks!
>
> I initially had a check for REG_NOERROR there, but removed it.
>
> Attached an updated patch without the outdated comment.

Very nice work!

Your change looks fine: set "buf" to account for potentially-moved
allocation, just as is done on three other lines above.
However, I couldn't help but notice this nonsense right after the line
you inserted:

          if (err == REG_NOMATCH)
            continue;
        }

That is an "if (...) continue;" just before the closing brace of a
for-loop. Those two lines constitute a no-op and should be removed,
though not as part of your change.




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Paul Eggert <eggert@cs.ucla.edu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 07:19:03 +0000
Resent-Message-ID: <handler.32592.B32592.15362183093167@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Jim Meyering <jim@meyering.net>, Assaf Gordon <assafgordon@gmail.com>
Cc: bill-auger@peers.community, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>, 32592@debbugs.gnu.org, tails.saito@gmail.com, Eric Blake <eblake@redhat.com>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.15362183093167
          (code B ref 32592); Thu, 06 Sep 2018 07:19:03 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 07:18:29 +0000
Received: from localhost ([127.0.0.1]:47645 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxoYf-0000p1-9d
	for submit@debbugs.gnu.org; Thu, 06 Sep 2018 03:18:29 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:36928)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@cs.ucla.edu>) id 1fxoYd-0000oo-ED
 for 32592@debbugs.gnu.org; Thu, 06 Sep 2018 03:18:28 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 15F3B1605B1;
 Thu,  6 Sep 2018 00:18:21 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id 8l3X8JzvBf5w; Thu,  6 Sep 2018 00:18:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id BDC43161130;
 Thu,  6 Sep 2018 00:18:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id EdGRenjuXRqx; Thu,  6 Sep 2018 00:18:19 -0700 (PDT)
Received: from [192.168.1.9] (cpe-23-242-74-103.socal.res.rr.com
 [23.242.74.103])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 6747D1605B1;
 Thu,  6 Sep 2018 00:18:19 -0700 (PDT)
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
 <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
 <CA+8g5KFbdW=wc1X9fzWEbo0jkmjE3hfogMXvaUBgAxTbW7kyUw@mail.gmail.com>
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
Message-ID: <e1e98548-7304-5693-62f9-dcd7d585352b@cs.ucla.edu>
Date: Thu, 6 Sep 2018 00:18:18 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CA+8g5KFbdW=wc1X9fzWEbo0jkmjE3hfogMXvaUBgAxTbW7kyUw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Jim Meyering wrote:
> I couldn't help but notice this nonsense right after the line
> you inserted:
> 
>            if (err == REG_NOMATCH)
>              continue;
>          }
> 
> That is an "if (...) continue;" just before the closing brace of a
> for-loop. Those two lines constitute a no-op and should be removed,
> though not as part of your change.

Actually I think the abovementioned code should be kept, and the nonsense comes 
from the fact that some code is missing after the "if". When err != REG_NOMATCH 
&& err != REG_NOERROR, the function should exit the loop and return immediately, 
because there is a memory allocation error in a subroutine.

What a coincidence that we would find two bugs right next to each other, huh?...

I filed a bug report against glibc, and unless there's an objection I would like 
to fix both bugs in glibc and propagate the fix into gnulib. Please see the 
glibc bug here:

https://sourceware.org/bugzilla/show_bug.cgi?id=23609




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Assaf Gordon <assafgordon@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 08:03:02 +0000
Resent-Message-ID: <handler.32592.B32592.15362209417250@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>, Jim Meyering <jim@meyering.net>, bill-auger <bill-auger@peers.community>, 32592@debbugs.gnu.org, Saito Takaaki <tails.saito@gmail.com>, Eric Blake <eblake@redhat.com>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.15362209417250
          (code B ref 32592); Thu, 06 Sep 2018 08:03:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 08:02:21 +0000
Received: from localhost ([127.0.0.1]:47650 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxpF6-0001sr-RN
	for submit@debbugs.gnu.org; Thu, 06 Sep 2018 04:02:21 -0400
Received: from mail-lf1-f54.google.com ([209.85.167.54]:42404)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <assafgordon@gmail.com>) id 1fxpF1-0001sa-0k
 for 32592@debbugs.gnu.org; Thu, 06 Sep 2018 04:02:16 -0400
Received: by mail-lf1-f54.google.com with SMTP id z11-v6so8251500lff.9
 for <32592@debbugs.gnu.org>; Thu, 06 Sep 2018 01:02:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=qgjKUqb4EBKe+edIYddf0HpRk/LKhUAZ4iW/UxPoJjA=;
 b=jhODt4ru3F03X1reNXAFSds3pE1MVapemYwVjvzdspjGfa0Bj++I38NPjcL7SUqdnD
 +Brik1LtleP77FIOuKfRM0QSbvXT2MFPrzjkKoEdXdNfnViz2m0lHyabpMCYl3eW7qhc
 UBLXNjFO8H0+dh2H34HqNrRNTAQOa7QE2avuQ6CYtvChRui39w/FdL7GF90TNcSQ6LJp
 JwFocBtTgZo11UbI5yP4QQDIDahrsUIjHR2+/A+dmr0FIgeK6Rn0NIMpGRBdAgwUCM8L
 Mp+7MKVRWG4xSYZxxjk9pLvswKTNeoG1/f9XDAsrkMhBB3XGwG6D/3NiWzVRAe9y2IiF
 b6Cw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=qgjKUqb4EBKe+edIYddf0HpRk/LKhUAZ4iW/UxPoJjA=;
 b=kpisVToWWnFwA2B6cutlUBNnRPld+OBUheuEB6OTW+HcUFsAKS+7gj6kK/13N4wbbO
 d2DeMjWFXv+v0YYRY38Wet3caQAWCvUPWGWJNFMAUzudzPjmNbDc9EOe9g0ytoQoGDFe
 kSTyZDFjcLZzPabkkewlJeIlZ9qtM3EKaeftAmoVIuN67ccieJv3NS5X0ws6/UkpE0g8
 d2swF0G4e8JRChreJSpqePzHBul6ce4E8eIzoXBCpuGh3UF0zRz3HzKxmjO6WD5jhHcy
 m3k7M1nloUK197dskEoLcnQ6p+ZtAAybAIp68I8q2J9AwL8TDU530/XbqBFTOBcBjqf0
 C4Wg==
X-Gm-Message-State: APzg51AC3nivpLurxjijFPqB+XoeaDxXYG8kSKzouUjjSJdEtQ0mApnl
 DAoymlulSl2GmNDFpaG4qHqHGx9nPSK6FOt3+b0=
X-Google-Smtp-Source: ANB0VdaAjGzTaftG4jiD+qABuobxWEf5OeKoHGhOHyYxKPD/SkOVwqIu4KiVMu6IXsVJS5haw/rsOw0DFSuIwY037DA=
X-Received: by 2002:a19:53d6:: with SMTP id
 h83-v6mr1119703lfl.15.1536220929034; 
 Thu, 06 Sep 2018 01:02:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:8449:0:0:0:0:0 with HTTP;
 Thu, 6 Sep 2018 01:02:08 -0700 (PDT)
In-Reply-To: <e1e98548-7304-5693-62f9-dcd7d585352b@cs.ucla.edu>
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
 <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
 <CA+8g5KFbdW=wc1X9fzWEbo0jkmjE3hfogMXvaUBgAxTbW7kyUw@mail.gmail.com>
 <e1e98548-7304-5693-62f9-dcd7d585352b@cs.ucla.edu>
From: Assaf Gordon <assafgordon@gmail.com>
Date: Thu, 6 Sep 2018 02:02:08 -0600
Message-ID: <CAHN-GmzBCCxKYCrMY2OAe=Y7Od0UgewfmuJnR3a5PA6YGhRTYA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Thank you all for the review and comments.

On Thu, Sep 6, 2018 at 1:18 AM, Paul Eggert <eggert@cs.ucla.edu> wrote:
> What a coincidence that we would find two bugs right next to each other,
> huh?...
>
> I filed a bug report against glibc, and unless there's an objection I would
> like to fix both bugs in glibc and propagate the fix into gnulib. Please see
> the glibc bug here:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=23609

Speaking of coincidences,
I just found this use-after-free bug was already reported (but not fixed)
back in 2015: https://sourceware.org/bugzilla/show_bug.cgi?id=18040 .


regards,
 - assaf




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Paul Eggert <eggert@cs.ucla.edu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 08:25:02 +0000
Resent-Message-ID: <handler.32592.B32592.15362222869190@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Assaf Gordon <assafgordon@gmail.com>
Cc: "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>, Jim Meyering <jim@meyering.net>, bill-auger <bill-auger@peers.community>, 32592@debbugs.gnu.org, Saito Takaaki <tails.saito@gmail.com>, Eric Blake <eblake@redhat.com>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.15362222869190
          (code B ref 32592); Thu, 06 Sep 2018 08:25:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 08:24:46 +0000
Received: from localhost ([127.0.0.1]:47662 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxpan-0002O8-Q5
	for submit@debbugs.gnu.org; Thu, 06 Sep 2018 04:24:45 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:42230)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@cs.ucla.edu>) id 1fxpam-0002Nu-BW
 for 32592@debbugs.gnu.org; Thu, 06 Sep 2018 04:24:45 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 7FE28161170;
 Thu,  6 Sep 2018 01:24:37 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id wB-022zxQlo9; Thu,  6 Sep 2018 01:24:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 9DD1B1613F9;
 Thu,  6 Sep 2018 01:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id 3LprVLiqqd6h; Thu,  6 Sep 2018 01:24:36 -0700 (PDT)
Received: from [192.168.1.9] (cpe-23-242-74-103.socal.res.rr.com
 [23.242.74.103])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 47B20161170;
 Thu,  6 Sep 2018 01:24:36 -0700 (PDT)
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
 <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
 <CA+8g5KFbdW=wc1X9fzWEbo0jkmjE3hfogMXvaUBgAxTbW7kyUw@mail.gmail.com>
 <e1e98548-7304-5693-62f9-dcd7d585352b@cs.ucla.edu>
 <CAHN-GmzBCCxKYCrMY2OAe=Y7Od0UgewfmuJnR3a5PA6YGhRTYA@mail.gmail.com>
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
Message-ID: <956a6cd2-1fb4-f0e7-a1c2-6bfb52bb0074@cs.ucla.edu>
Date: Thu, 6 Sep 2018 01:24:35 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAHN-GmzBCCxKYCrMY2OAe=Y7Od0UgewfmuJnR3a5PA6YGhRTYA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Assaf Gordon wrote:
> Speaking of coincidences,
> I just found this use-after-free bug was already reported (but not fixed)
> back in 2015:https://sourceware.org/bugzilla/show_bug.cgi?id=18040  .

Thanks, I had looked for a duplicate bug report before filing glibc bug 23609 
but did not find that one. I have added notes to glibc bugs 18040 and 23609 
suggesting that they be merged (which is apparently not something I can do via 
the web UI).




From unknown Thu Aug 14 21:56:19 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#32592: heap-use-after-free in regex module
Resent-From: Jim Meyering <jim@meyering.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-sed@gnu.org
Resent-Date: Thu, 06 Sep 2018 13:43:02 +0000
Resent-Message-ID: <handler.32592.B32592.153624132422218@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32592
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: 
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: Assaf Gordon <assafgordon@gmail.com>, "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>, bill-auger@peers.community, 32592@debbugs.gnu.org, tails.saito@gmail.com, Eric Blake <eblake@redhat.com>
Received: via spool by 32592-submit@debbugs.gnu.org id=B32592.153624132422218
          (code B ref 32592); Thu, 06 Sep 2018 13:43:02 +0000
Received: (at 32592) by debbugs.gnu.org; 6 Sep 2018 13:42:04 +0000
Received: from localhost ([127.0.0.1]:47749 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fxuXr-0005mG-PG
	for submit@debbugs.gnu.org; Thu, 06 Sep 2018 09:42:03 -0400
Received: from mail-wr1-f50.google.com ([209.85.221.50]:39074)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <meyering@gmail.com>) id 1fxuXp-0005lf-PC
 for 32592@debbugs.gnu.org; Thu, 06 Sep 2018 09:42:02 -0400
Received: by mail-wr1-f50.google.com with SMTP id s14-v6so2490634wrw.6
 for <32592@debbugs.gnu.org>; Thu, 06 Sep 2018 06:42:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=j1xxBC0v59UpKysvORI1M5+4YNX14/6K+CfMJnIU958=;
 b=UL0bvdvRfwHsUcw/R3YASM+PmFLvSkDO2STt7cV8ApuaYjn6s1CaO+SRZHLgq6dsb5
 6NRv1HAVUUk70XDPk6xpCU734oAQ6k6w09fBPBuRLqW5xfCZuTPSEq59FJqUiXkZgfKD
 4v57UryeQhmMxnPnQ5oFsbyYGBOHd8+NaR6iPlSrSfLz3WclqLoK/HmtDJ5OYp1A3yP/
 h9KG8uKusVe1AXgrnyPC9oxMYbSHRqREuFZhRs6kmp2aJzvnecw1eWFpzJXFkY3gf8s+
 4ylzC8wni+Q0l5kjK6SThk+XBQHhxhlZC4Qn7Msv8n8zcuk0hSF7fgUqfG1ntUKWabwq
 gRDA==
X-Gm-Message-State: APzg51AD/xsh1MYjPvtGnkwWVSRhTOgMAWifmGpqXE8wY7Y0evx7RRAd
 JVlW6/P80a42fH1+0NJ/epBBhIlcjV+h1gdXzS0=
X-Google-Smtp-Source: ANB0VdZDSAwjhGykLJLySCPKSXvR9hQVIi02RmzZyUVUMgjiSV2oeE5gM/z3igvHagMY0p/kGAWeXV0dTTrN+blwdJU=
X-Received: by 2002:a5d:50cf:: with SMTP id
 f15-v6mr2529839wrt.128.1536241315529; 
 Thu, 06 Sep 2018 06:41:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
 <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
 <CA+8g5KFbdW=wc1X9fzWEbo0jkmjE3hfogMXvaUBgAxTbW7kyUw@mail.gmail.com>
 <e1e98548-7304-5693-62f9-dcd7d585352b@cs.ucla.edu>
In-Reply-To: <e1e98548-7304-5693-62f9-dcd7d585352b@cs.ucla.edu>
From: Jim Meyering <jim@meyering.net>
Date: Thu, 6 Sep 2018 06:41:41 -0700
Message-ID: <CA+8g5KFmHJ_rw1ZCzqdsUb4E3CZ53r4qggPo6NHM0pOyfr7_+g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.4 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.6 (/)

On Thu, Sep 6, 2018 at 12:18 AM Paul Eggert <eggert@cs.ucla.edu> wrote:
> Jim Meyering wrote:
> > I couldn't help but notice this nonsense right after the line
> > you inserted:
> >
> >            if (err == REG_NOMATCH)
> >              continue;
> >          }
> >
> > That is an "if (...) continue;" just before the closing brace of a
> > for-loop. Those two lines constitute a no-op and should be removed,
> > though not as part of your change.
>
> Actually I think the abovementioned code should be kept, and the nonsense comes
> from the fact that some code is missing after the "if". When err != REG_NOMATCH
> && err != REG_NOERROR, the function should exit the loop and return immediately,
> because there is a memory allocation error in a subroutine.
>
> What a coincidence that we would find two bugs right next to each other, huh?...

Indeed. Glad you realized that.




From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 08 19:49:17 2018
Received: (at control) by debbugs.gnu.org; 8 Oct 2018 23:49:17 +0000
Received: from localhost ([127.0.0.1]:40961 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g9fH2-000274-U6
	for submit@debbugs.gnu.org; Mon, 08 Oct 2018 19:49:17 -0400
Received: from mail-io1-f51.google.com ([209.85.166.51]:42878)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <assafgordon@gmail.com>)
 id 1g9fH1-00026o-6p; Mon, 08 Oct 2018 19:49:15 -0400
Received: by mail-io1-f51.google.com with SMTP id n18-v6so17181752ioa.9;
 Mon, 08 Oct 2018 16:49:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=fDGj/C64NUoykD0asIX89ytFfgh2D51pqYokygBUcgg=;
 b=puz4akO+jej6RZ17kqIlzaQgpVJMVNFnU3IDSOSe9arhP4c4ZaqD7x50q1/xiLeeGW
 MN1cTsep525ujTQIBz6aFizd5urtd1F9RM8kRzpnzI6nn8iulCss8Rr2KSlgCgl06hjG
 YKGvkdRSXk/AtVBN8xgGniveE2FjF+BPRyU4StwaQL1+15FEf7Dq9R51PHBeldTyfP+m
 aLDjFJyOd6FHyT0QsduC6cRE5x8GK4hfmQI51jTf/jrR7lqF5CSlQjxbtMlvYI2SYyxn
 p71Gq1Qn0DmNzTokgGh3qWK3XuA2S2wu30OgB8xDfjnk5DxbYo5nt20djjPz9O6SxbyL
 K2fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=fDGj/C64NUoykD0asIX89ytFfgh2D51pqYokygBUcgg=;
 b=WMAUP2sv5Mmx0Ae+KRZSqAaaE6nX9rJQMQpE+riZ95m7BJ1/LB2j3EJXlkEm6KmuV/
 +IKFfHEJQsMAiZtW6j3vAnISBjYDNh0KSxXLrxX9Sx81XghcbrKp4eJLIyl/+tftSCSd
 IthaUEUNOzk1cmuYbTZJxihtUW8I3uHoMmQaS/L4cgEZ8+uthU5IhM/SldIhLkj3+Oca
 p/2/thjCQ71qUrGq4EeRZqtytq7V6g+/ryz/85yQqxwSrSMKP0RAditqVyNfA/XORv/F
 j0oRph9g3LXMWsJVPOdgvtYlm2eRSVFLUrElBr8UU8Wp+MLNSPLY87KD7j1ShS0rnBmf
 +SuA==
X-Gm-Message-State: ABuFfohVrFxEbduypLzTR3A1OXpoC/CfLU/YMPnkCwMbE2ZMv68Rti7i
 F/5heL1KDGgtTg49byG6cy6oUkay
X-Google-Smtp-Source: ACcGV61HR5rRbU337TyoVHx86AHSvBprhKispSGuvQGT9Zhv26yzJuZqNWmhLMKDxNn5yuz21xLBQQ==
X-Received: by 2002:a6b:b20b:: with SMTP id
 b11-v6mr16847947iof.172.1539042549008; 
 Mon, 08 Oct 2018 16:49:09 -0700 (PDT)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
 by smtp.googlemail.com with ESMTPSA id
 e78-v6sm6802965itc.4.2018.10.08.16.49.07
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 08 Oct 2018 16:49:07 -0700 (PDT)
Subject: Re: bug#32592: heap-use-after-free in regex module
To: 32592-done@debbugs.gnu.org
References: <CAMbU8_ETi0=t81=M06BPRWukTn+wz0HQH0T7vG46+ruta4XdXQ@mail.gmail.com>
 <64f9d762-bdaf-9c4f-444f-f18f36b452cf@gmail.com>
 <CAMbU8_F+EAyojfosT49b73JyBZ-QxeqkmUfPhJMmZF4zv3kh9Q@mail.gmail.com>
 <6321ec76-bb32-d9e0-42ce-cbb371b8118c@gmail.com>
 <CA+8g5KH4dAPvD25qzBF+RifhAXpwQVQrdLyHpYg0HRF9rQ6zgg@mail.gmail.com>
 <20f04d18-bb9b-d7f3-2f99-69f2648a0346@gmail.com>
 <1a5e6d4d-4c27-d277-be4d-4a6864489dfb@gmail.com>
 <CA+8g5KFbdW=wc1X9fzWEbo0jkmjE3hfogMXvaUBgAxTbW7kyUw@mail.gmail.com>
 <e1e98548-7304-5693-62f9-dcd7d585352b@cs.ucla.edu>
 <CA+8g5KFmHJ_rw1ZCzqdsUb4E3CZ53r4qggPo6NHM0pOyfr7_+g@mail.gmail.com>
From: Assaf Gordon <assafgordon@gmail.com>
Message-ID: <acc22d84-23d6-fc40-c7e6-61b20a8b29e3@gmail.com>
Date: Mon, 8 Oct 2018 17:49:06 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CA+8g5KFmHJ_rw1ZCzqdsUb4E3CZ53r4qggPo6NHM0pOyfr7_+g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

tags 32592 fixed
close 32592
thanks

This has been fixed in gnulib and pulled into sed, so closing.