I was surprised to be able to provoke a segfault in grep.
Even more surprised to see that the flaw was in regcomp.c.
Here's the patch I'll push to gnulib.
I expect the same will go to glibc soon.
From 1051177e3c202667889628fd73aee7c3b470f99d Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyer...@fb.com>
Date: Sat, 12 Jul 2014 16:33:49 -0700
Subject: [PATCH] regex: don't deref NULL upon heap allocation failure
* lib/regcomp.c (parse_dup_op): Handle duplicate_tree
failure in one more place.
To trigger the segfault, configure grep -with-included-regex,
build it, and run these commands:
( ulimit -v 300000; echo a|src/grep -E a+++++++++++++++++++++ )
I discovered this while replying to a private report from
Jens Schleusener about excessive memory consumption by grep
when using a regular expression like the one above.
---
ChangeLog | 12 ++++++++++++
lib/regcomp.c | 2 ++
2 files changed, 14 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 0a7b82f..8131fd1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2014-07-12 Jim Meyering <meyer...@fb.com>
+
+ regex: don't deref NULL upon heap allocation failure
+ * lib/regcomp.c (parse_dup_op): Handle duplicate_tree
+ failure in one more place.
+ To trigger the segfault, configure grep -with-included-regex,
+ build it, and run these commands:
+ ( ulimit -v 300000; echo a|src/grep -E a+++++++++++++++++++++ )
+ I discovered this while replying to a private report from
+ Jens Schleusener about excessive memory consumption by grep
+ when using a regular expression like the one above.
+
2014-07-11 Paul Eggert <egg...@cs.ucla.edu>
regex: fix memory leak in compiler
diff --git a/lib/regcomp.c b/lib/regcomp.c
index 44c6c5e..c306ffb 100644
--- a/lib/regcomp.c
+++ b/lib/regcomp.c
@@ -2635,6 +2635,8 @@ parse_dup_op (bin_tree_t *elem, re_string_t *regexp,
re_dfa_t *dfa,
/* Duplicate ELEM before it is marked optional. */
elem = duplicate_tree (elem, dfa);
+ if (BE (elem == NULL, 0))
+ goto parse_dup_op_espace;
old_tree = tree;
}
else
--
2.0.0.421.g786a89d
