[grep] dfa: don't overrun a malloc'd buffer for certain regexps (patch dfa-buffer-overrun-fix) Resolves: rh

Jaroslav Škarvada jskarvad at fedoraproject.org
Mon Jun 20 11:42:20 UTC 2011 

commit dfa863d2b4fae5a0b262d23b81e44d71c4a9a8f7
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date:   Mon Jun 20 13:42:06 2011 +0200

    dfa: don't overrun a malloc'd buffer for certain regexps
    (patch dfa-buffer-overrun-fix)
    Resolves: rhbz#713328

 grep-2.8-dfa-buffer-overrun-fix.patch |  107 +++++++++++++++++++++++++++++++++
 grep.spec                             |   11 +++-
 2 files changed, 117 insertions(+), 1 deletions(-)
---
diff --git a/grep-2.8-dfa-buffer-overrun-fix.patch b/grep-2.8-dfa-buffer-overrun-fix.patch
new file mode 100644
index 0000000..6013847
--- /dev/null
+++ b/grep-2.8-dfa-buffer-overrun-fix.patch
@@ -0,0 +1,107 @@
+From 0b91d6928e9d098d3746ce9f4bb4160a2e685f5c Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering at redhat.com>
+Date: Fri, 17 Jun 2011 08:27:06 +0000
+Subject: dfa: don't overrun a malloc'd buffer for certain regexps
+
+* src/dfa.c (dfaanalyze): Allocate space for twice as many
+positions as there are leaves.  Before this change, for some
+regular expressions, DFA analysis would have inserted far more
+"positions" than dfa->nleaves (up to double).
+Reported by Raymond Russell in http://savannah.gnu.org/bugs/?33547
+* tests/dfa-heap-overrun: Trigger the overrun.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS (Bug fixes): Mention it.
+
+
+NEWS hunk modified to apply, Jaroslav Škarvada <jskarvad at redhat.com>
+---
+diff --git a/NEWS b/NEWS
+index d026448..3354d50 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,6 +4,9 @@ GNU grep NEWS                                    -*- outline -*-
+ 
+ ** Bug fixes
+ 
++  grep no longer clobbers heap for an ERE like '(^| )*( |$)'
++  [bug introduced in grep-2.6]
++
+   echo c|grep '[c]' would fail for any c in 0x80..0xff, and in many locales.
+   E.g., printf '\xff\n'|grep "$(printf '[\xff]')" || echo FAIL
+   would print FAIL rather than the required matching line.
+
+diff --git a/src/dfa.c b/src/dfa.c
+index 873530f..c32d679 100644
+--- a/src/dfa.c
++++ b/src/dfa.c
+@@ -2134,7 +2134,7 @@ dfaanalyze (struct dfa *d, int searchflag)
+   MALLOC(lastpos, position, d->nleaves);
+   o_lastpos = lastpos, lastpos += d->nleaves;
+   CALLOC(nalloc, int, d->tindex);
+-  MALLOC(merged.elems, position, d->nleaves);
++  MALLOC(merged.elems, position, 2 * d->nleaves);
+ 
+   CALLOC(d->follows, position_set, d->tindex);
+ 
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 8d51727..1f0d2cf 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -46,6 +46,7 @@ TESTS =						\
+   case-fold-char-range				\
+   case-fold-char-type				\
+   char-class-multibyte				\
++  dfa-heap-overrun				\
+   dfaexec-multibyte				\
+   empty						\
+   equiv-classes                                 \
+@@ -103,7 +104,6 @@ MALLOC_PERTURB_ = 1
+ TESTS_ENVIRONMENT =				\
+   tmp__=$$TMPDIR; test -d "$$tmp__" || tmp__=.;	\
+   TMPDIR=$$tmp__; export TMPDIR;		\
+-  exec 9>&2;					\
+   shell_or_perl_() {				\
+     if grep '^\#!/usr/bin/perl' "$$1" > /dev/null; then			\
+       if $(PERL) -e 'use warnings' > /dev/null 2>&1; then		\
+@@ -141,6 +141,6 @@ TESTS_ENVIRONMENT =				\
+   PERL='$(PERL)'				\
+   SHELL='$(SHELL)'				\
+   PATH='$(abs_top_builddir)/src$(PATH_SEPARATOR)'"$$PATH" \
+-  ; shell_or_perl_
++  ; shell_or_perl_ 9>&2
+ 
+ VERBOSE = yes
+diff --git a/tests/dfa-heap-overrun b/tests/dfa-heap-overrun
+new file mode 100755
+index 0000000..dda1c12
+--- a/dev/null
++++ b/tests/dfa-heap-overrun
+@@ -0,0 +1,26 @@
++#!/bin/sh
++# Trigger a heap overrun in grep-2.6..grep-2.8.
++
++# Copyright (C) 2011 Free Software Foundation, Inc.
++
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/init.sh"; path_prepend_ ../src
++
++fail=0
++
++grep -E '(^| )*(a|b)*(c|d)*( |$)' < /dev/null
++test $? = 1 || fail=1
++
++Exit $fail
+--
+cgit v0.8.3.4
diff --git a/grep.spec b/grep.spec
index 1a7a10d..34a324b 100644
--- a/grep.spec
+++ b/grep.spec
@@ -3,7 +3,7 @@
 Summary: Pattern matching utilities
 Name: grep
 Version: 2.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv3+
 Group: Applications/Text
 Source: ftp://ftp.gnu.org/pub/gnu/grep/grep-%{version}.tar.xz
@@ -16,6 +16,8 @@ Requires(preun): /sbin/install-info
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 BuildRequires: pcre-devel >= 3.9-10, texinfo, gettext
 BuildRequires: autoconf automake
+# dfa: don't overrun a malloc'd buffer for certain regexps (#713328)
+Patch0: grep-2.8-dfa-buffer-overrun-fix.patch
 
 %description
 The GNU versions of commonly used grep utilities. Grep searches through
@@ -27,6 +29,8 @@ GNU grep is needed by many scripts, so it shall be installed on every system.
 %prep
 %setup -q
 
+%patch0 -p1 -b .dfa-buffer-overrun-fix
+
 %build
 %configure --without-included-regex CPPFLAGS="-I%{_includedir}/pcre"
 make %{?_smp_mflags}
@@ -67,6 +71,11 @@ fi
 %{_mandir}/*/*
 
 %changelog
+* Mon Jun 20 2011 Jaroslav Škarvada <jskarvad at redhat.com> - 2.8-4
+- dfa: don't overrun a malloc'd buffer for certain regexps
+  (patch dfa-buffer-overrun-fix)
+  Resolves: rhbz#713328
+
 * Mon May 16 2011 Jaroslav Škarvada <jskarvad at redhat.com> - 2.8-3
 - Added coloring aliases to csh script as well

More information about the scm-commits mailing list