m4-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch-1_4 regexp coredump

From: Eric Blake
Subject: branch-1_4 regexp coredump
Date: Fri, 18 Aug 2006 03:38:33 +0000 (UTC)
User-agent: Loom/3.14 (http://gmane.org/) 
Karl's observation on bug-m4 that we had a bogus warning pointed out something 
even more severe - we were reading uninitialized memory from the stack.  
Depending on your hardware, you can get allocation failures, core dumps, and 
possibly even arbitrary code execution.

$ echo 'regexp(abc,\(\(b\)\)\(c\),\4\5\6)'|m4
m4:stdin:1: Warning: sub-expression 4 not present
Segmentation fault (core dumped)

2006-08-17  Eric Blake  <address@hidden>

        * src/builtin.c (substitute): Avoid core dump when accessing
        beyond bound of regular expression.
        Reported by Karl Nelson.
        * doc/m4.texinfo (Regexp): Add example that causes core dump on
        some architectures prior to this patch.
        * THANKS: Updated.

Index: doc/m4.texinfo
===================================================================
RCS file: /sources/m4/m4/doc/m4.texinfo,v
retrieving revision 1.1.1.1.2.67
diff -u -b -r1.1.1.1.2.67 m4.texinfo
--- doc/m4.texinfo      16 Aug 2006 14:44:16 -0000      1.1.1.1.2.67
+++ doc/m4.texinfo      18 Aug 2006 03:35:59 -0000
@@ -3370,6 +3370,11 @@
 @error{}m4:stdin:2: Warning: sub-expression 1 not present
 @error{}m4:stdin:2: Warning: trailing \ ignored in replacement
 @result{}
+regexp(`abc', `\(\(d\)?\)\(c\)', `\1\2\3\4\5\6')
address@hidden:stdin:3: Warning: sub-expression 4 not present
address@hidden:stdin:3: Warning: sub-expression 5 not present
address@hidden:stdin:3: Warning: sub-expression 6 not present
address@hidden
 @end example
 
 @node Substr
Index: src/builtin.c
===================================================================
RCS file: /sources/m4/m4/src/Attic/builtin.c,v
retrieving revision 1.1.1.1.2.33
diff -u -b -r1.1.1.1.2.33 builtin.c
--- src/builtin.c       16 Aug 2006 14:30:10 -0000      1.1.1.1.2.33
+++ src/builtin.c       18 Aug 2006 03:35:59 -0000
@@ -1683,12 +1683,12 @@
        case '1': case '2': case '3': case '4': case '5': case '6':
        case '7': case '8': case '9':
          ch -= '0';
-         if (regs->end[ch] > 0)
-           obstack_grow (obs, victim + regs->start[ch],
-                         regs->end[ch] - regs->start[ch]);
-         else
+         if (regs->num_regs - 1 <= ch)
            M4ERROR ((warning_status, 0, "\
 Warning: sub-expression %d not present", ch));
+         else if (regs->end[ch] > 0)
+           obstack_grow (obs, victim + regs->start[ch],
+                         regs->end[ch] - regs->start[ch]);
          break;
 
        case '\0':
reply via email to
[Prev in Thread] Current Thread [Next in Thread]