[Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s

schwab@linux-m68k.org
https://sourceware.org/bugzilla/show_bug.cgi?id=22620

            Bug ID: 22620
           Summary: parse_expression blows stack for a 20k-byte regexp
                    with only '('s
           Product: glibc
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: jim at meyering dot net
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

glibc's regexp parser used to diagnose this problem with "Unmatched ( or \(",
but that no longer happens. Perhaps related (since COMPILE_STACK_ macros are
what caught the problem before), this change in 2002 removed the code in
question:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=51f38e87b13f233bdf76bd6d3edaabf4fd9eb126

Now, attempting to compile such a regexp causes stack overflow and probable
segfault.

Demonstrate with this:

$ cat regex-compile-lparen-stack-overflow.c
#include <stdlib.h>
#include <string.h>
#include <regex.h>

int
main (int argc, char **argv)
{
  size_t n = 40000;
  regex_t preg;
  char *pat = malloc (n+1);
  if (!pat) return 2;
  memset (pat, '(', n);
  pat[n] = '\0';
  int rc = regcomp (&preg, pat, REG_EXTENDED);
  return rc == 0;
}
$ gcc -g -O -Wall regex-compile-lparen-stack-overflow.c && ./a.out
segmentation fault (core dumped)  ./a.out

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/22620] parse_expression blows stack for a 20k-byte regexp with only '('s

schwab@linux-m68k.org
https://sourceware.org/bugzilla/show_bug.cgi?id=22620

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Not marking as a security bug because the inherent DoS potential of regular
expressions.

--
You are receiving this mail because:
You are on the CC list for the bug.