bug#34141: Stackoverflow triggered at lib/regexec.c:1948

[Hongxu Chen]

Hi,

    Latest sed (4.7.4-f8503-dirty; and prior to this, e.g. 4.4) may trigger
a stack overflow error by executing the following command.

    echo 0 | ./sed '/\(\)\(\1\(\)\1\(\)\)*/c0'    # equivalently sed -f
c01.sed c01.in

    ASan reports like this:
AddressSanitizer:DEADLYSIGNAL



=================================================================



==26879==ERROR: AddressSanitizer: stack-overflow on address 0x7ffea609bff8
(pc 0x0000005b0b76 bp 0x7ffea609c090 sp 0x7ffea609bf20 T0)


    #0 0x5b0b75 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1912:18


    #1 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #2 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #3 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #4 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #5 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #6 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #7 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7
...
    #247 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #248 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7


    #249 0x5b0ed3 in check_dst_limits_calc_pos_1
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1948:7






SUMMARY: AddressSanitizer: stack-overflow
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1912:18 in
check_dst_limits_calc_pos_1

==26879==ABORTING

Best Regards,
Hongxu

c01.in
Description: Binary data

c01.sed
Description: Binary data

c01.asan
Description: Binary data