On 9/12/18 8:02 AM, Assaf Gordon wrote: > Hello, > > Prompted by the recent bug reports, I decided to do some > targeted fuzzing on gnulib's regex module using afl. > > So far I found two obscure bugs, and one pathological case. > > Can be easily reproduced with: > > $ echo 1 | grep -E "(\'|^)(\1|)" > grep: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed. > Aborted > > $ echo A | grep -E "$(printf '(\227|)(\\1\\1|t1|\\\2537)+')" > Segmentation fault ## stack overflow due to infinite recursion > > And the following pathological case can easily consume hundreds of MB of > RAM (more "+" - more RAM): > > $ echo 1 | time grep -E '(.)++++++++++++++++++++++|'
I stumbled upon the memory consumption (and slowness) a while ago, but it seems to be a well-known issue regarding https://sourceware.org/glibc/wiki/Security%20Exceptions. So, never accept regex patterns from untrusted sources. Regards, Tim
signature.asc
Description: OpenPGP digital signature
