From nobody@FreeBSD.org  Tue Mar 19 15:50:46 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 73C8237B402
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 19 Mar 2002 15:50:46 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g2JNokD54562;
	Tue, 19 Mar 2002 15:50:46 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200203192350.g2JNokD54562@freefall.freebsd.org>
Date: Tue, 19 Mar 2002 15:50:46 -0800 (PST)
From: mki <mki@nospam.mozone.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: please MFC 1.24 of libc/regex/regcomp.c
X-Send-Pr-Version: www-1.0

>Number:         36114
>Category:       misc
>Synopsis:       please MFC 1.24 of libc/regex/regcomp.c
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    dcs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 19 16:00:01 PST 2002
>Closed-Date:    Wed Mar 20 05:13:46 PST 2002
>Last-Modified:  Wed Mar 20 05:13:46 PST 2002
>Originator:     mki
>Release:        4.5-RELEASE, 4.5-STABLE
>Organization:
>Environment:
>Description:
Programs that use regcomp/regexec get SIGBUS'd when running under ElectricFence and similar mem bounds checkers.  This is due to the BM search algo reading beyond the length of an array in computematchjumps().  Here's the stack trace of the attached program:

Program received signal SIGBUS, Bus error.
0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
2048                    ssuffix = pmatches[ssuffix];
(gdb) where
#0  0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
#1  0x8048fe8 in regcomp (preg=0xbfbff70c, pattern=0x804da20 "127.0.0.1/10", cflags=7) at regcomp.c:281
#2  0x8048d08 in main (argc=1, argv=0xbfbff770) at test.c:10
#3  0x8048c5d in _start ()
(gdb) frame 0
#0  0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
2048                    ssuffix = pmatches[ssuffix];
(gdb) l
2043                    while (suffix <= ssuffix && suffix < g->mlen) {
2044                            g->matchjump[suffix] = MIN(g->matchjump[suffix],
2045                                g->mlen + ssuffix - suffix);
2046                            suffix++;
2047                    }
2048                    ssuffix = pmatches[ssuffix];
2049            }
2050
2051            free(pmatches);
2052    }
(gdb) print ssuffix
$1 = 4
(gdb) l 2000
1995
1996            /* Avoid making errors worse */
1997            if (p->error != 0)
1998                    return;
1999
2000            pmatches = (int*) malloc(g->mlen * sizeof(unsigned int));
2001            if (pmatches == NULL) {
2002                    g->matchjump = NULL;
2003                    return;
2004            }
(gdb) print g->mlen
$2 = 4
(gdb) print pmatches[0]
$3 = 3
(gdb) print pmatches[1]
$4 = 3
(gdb) print pmatches[2]
$5 = 3
(gdb) print pmatches[3]
$6 = 4
(gdb) print pmatches[4]
Error accessing memory address 0x2810d000: Bad address.
(gdb) print ssuffix
$7 = 4


>How-To-Repeat:
#include <stdio.h>
#include <sys/types.h>
#include <regex.h>

int main(int argc, char **argv) {
  regex_t       preg;
  int           r;
  char          errbuf[512];

  r = regcomp(&preg, "127.0.0.1/10", REG_NOSUB|REG_EXTENDED|REG_ICASE);
  if ( r != 0 ) {
    regerror(r, &preg, errbuf, sizeof(errbuf));
    printf("couldn't compile regex pattern, %s\n", errbuf);
    return -1;
  }

  return 0;
}


>Fix:
The fix was commited to -CURRENT back in november (revision 1.24); it was supposed to be MFCd within a week from that commit, but it seems to have been forgotten.  Please MFC it.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dcs 
Responsible-Changed-By: dd 
Responsible-Changed-When: Tue Mar 19 21:32:18 PST 2002 
Responsible-Changed-Why:  
Over to committer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36114 
State-Changed-From-To: open->closed 
State-Changed-By: dcs 
State-Changed-When: Wed Mar 20 05:13:21 PST 2002 
State-Changed-Why:  
Thanks for the reminder. Fixed. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=36114 
>Unformatted:
