bug#32271: heap buffer overflow in regexp.c, line 286

bug-sed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#32271: heap buffer overflow in regexp.c, line 286

From:	Assaf Gordon
Subject:	bug#32271: heap buffer overflow in regexp.c, line 286
Date:	Fri, 3 Aug 2018 19:58:46 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

tags 32271 fixed
close 32271
stop

On 02/08/18 09:15 AM, Jim Meyering wrote:

On Fri, Jul 27, 2018 at 12:13 PM, Assaf Gordon <address@hidden> wrote:

On 25/07/18 08:34 AM, project-repo wrote:


I let the fuzzer run again and it came up with a second heap buffer
overflow. This time in regexp.c, line 286. Here is a backtrace as
supplied by the address sanitizer:

The two attached patches should explain it in detail.

As these changes are somewhat subtle, I encourage everyone to
double-check them...


Fine work, yet again. Thank you!
I did spot one nit: the addition of two leading TAB bytes in the
latter patch. Should be 8 spaces, of course:


Thanks for the review.

Pushed here:
https://git.savannah.gnu.org/cgit/sed.git/commit/?id=2cb09e14
https://git.savannah.gnu.org/cgit/sed.git/commit/?id=007a4176

-assaf

[Prev in Thread]

Current Thread

[Next in Thread]

bug#32271: heap buffer overflow in regexp.c, line 286, Jim Meyering, 2018/08/02
- bug#32271: heap buffer overflow in regexp.c, line 286, Assaf Gordon <=

Prev by Date: bug#32228: sed -i does not buffer, causing excessive writes
Next by Date: bug#32494: t incorrectly branching
Previous by thread: bug#32271: heap buffer overflow in regexp.c, line 286
Next by thread: bug#32494: t incorrectly branching
Index(es):
- Date
- Thread