From dfa863d2b4fae5a0b262d23b81e44d71c4a9a8f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Mon, 20 Jun 2011 13:42:06 +0200 Subject: [PATCH] dfa: don't overrun a malloc'd buffer for certain regexps (patch dfa-buffer-overrun-fix) Resolves: rhbz#713328 --- grep-2.8-dfa-buffer-overrun-fix.patch | 107 ++++++++++++++++++++++++++ grep.spec | 11 ++- 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 grep-2.8-dfa-buffer-overrun-fix.patch diff --git a/grep-2.8-dfa-buffer-overrun-fix.patch b/grep-2.8-dfa-buffer-overrun-fix.patch new file mode 100644 index 0000000..6013847 --- /dev/null +++ b/grep-2.8-dfa-buffer-overrun-fix.patch @@ -0,0 +1,107 @@ +From 0b91d6928e9d098d3746ce9f4bb4160a2e685f5c Mon Sep 17 00:00:00 2001 +From: Jim Meyering +Date: Fri, 17 Jun 2011 08:27:06 +0000 +Subject: dfa: don't overrun a malloc'd buffer for certain regexps + +* src/dfa.c (dfaanalyze): Allocate space for twice as many +positions as there are leaves. Before this change, for some +regular expressions, DFA analysis would have inserted far more +"positions" than dfa->nleaves (up to double). +Reported by Raymond Russell in http://savannah.gnu.org/bugs/?33547 +* tests/dfa-heap-overrun: Trigger the overrun. +* tests/Makefile.am (TESTS): Add it. +* NEWS (Bug fixes): Mention it. + + +NEWS hunk modified to apply, Jaroslav Škarvada +--- +diff --git a/NEWS b/NEWS +index d026448..3354d50 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,6 +4,9 @@ GNU grep NEWS -*- outline -*- + + ** Bug fixes + ++ grep no longer clobbers heap for an ERE like '(^| )*( |$)' ++ [bug introduced in grep-2.6] ++ + echo c|grep '[c]' would fail for any c in 0x80..0xff, and in many locales. + E.g., printf '\xff\n'|grep "$(printf '[\xff]')" || echo FAIL + would print FAIL rather than the required matching line. + +diff --git a/src/dfa.c b/src/dfa.c +index 873530f..c32d679 100644 +--- a/src/dfa.c ++++ b/src/dfa.c +@@ -2134,7 +2134,7 @@ dfaanalyze (struct dfa *d, int searchflag) + MALLOC(lastpos, position, d->nleaves); + o_lastpos = lastpos, lastpos += d->nleaves; + CALLOC(nalloc, int, d->tindex); +- MALLOC(merged.elems, position, d->nleaves); ++ MALLOC(merged.elems, position, 2 * d->nleaves); + + CALLOC(d->follows, position_set, d->tindex); + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 8d51727..1f0d2cf 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -46,6 +46,7 @@ TESTS = \ + case-fold-char-range \ + case-fold-char-type \ + char-class-multibyte \ ++ dfa-heap-overrun \ + dfaexec-multibyte \ + empty \ + equiv-classes \ +@@ -103,7 +104,6 @@ MALLOC_PERTURB_ = 1 + TESTS_ENVIRONMENT = \ + tmp__=$$TMPDIR; test -d "$$tmp__" || tmp__=.; \ + TMPDIR=$$tmp__; export TMPDIR; \ +- exec 9>&2; \ + shell_or_perl_() { \ + if grep '^\#!/usr/bin/perl' "$$1" > /dev/null; then \ + if $(PERL) -e 'use warnings' > /dev/null 2>&1; then \ +@@ -141,6 +141,6 @@ TESTS_ENVIRONMENT = \ + PERL='$(PERL)' \ + SHELL='$(SHELL)' \ + PATH='$(abs_top_builddir)/src$(PATH_SEPARATOR)'"$$PATH" \ +- ; shell_or_perl_ ++ ; shell_or_perl_ 9>&2 + + VERBOSE = yes +diff --git a/tests/dfa-heap-overrun b/tests/dfa-heap-overrun +new file mode 100755 +index 0000000..dda1c12 +--- a/dev/null ++++ b/tests/dfa-heap-overrun +@@ -0,0 +1,26 @@ ++#!/bin/sh ++# Trigger a heap overrun in grep-2.6..grep-2.8. ++ ++# Copyright (C) 2011 Free Software Foundation, Inc. ++ ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++. "${srcdir=.}/init.sh"; path_prepend_ ../src ++ ++fail=0 ++ ++grep -E '(^| )*(a|b)*(c|d)*( |$)' < /dev/null ++test $? = 1 || fail=1 ++ ++Exit $fail +-- +cgit v0.8.3.4 diff --git a/grep.spec b/grep.spec index 1a7a10d..34a324b 100644 --- a/grep.spec +++ b/grep.spec @@ -3,7 +3,7 @@ Summary: Pattern matching utilities Name: grep Version: 2.8 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3+ Group: Applications/Text Source: ftp://ftp.gnu.org/pub/gnu/grep/grep-%{version}.tar.xz @@ -16,6 +16,8 @@ Requires(preun): /sbin/install-info BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: pcre-devel >= 3.9-10, texinfo, gettext BuildRequires: autoconf automake +# dfa: don't overrun a malloc'd buffer for certain regexps (#713328) +Patch0: grep-2.8-dfa-buffer-overrun-fix.patch %description The GNU versions of commonly used grep utilities. Grep searches through @@ -27,6 +29,8 @@ GNU grep is needed by many scripts, so it shall be installed on every system. %prep %setup -q +%patch0 -p1 -b .dfa-buffer-overrun-fix + %build %configure --without-included-regex CPPFLAGS="-I%{_includedir}/pcre" make %{?_smp_mflags} @@ -67,6 +71,11 @@ fi %{_mandir}/*/* %changelog +* Mon Jun 20 2011 Jaroslav Škarvada - 2.8-4 +- dfa: don't overrun a malloc'd buffer for certain regexps + (patch dfa-buffer-overrun-fix) + Resolves: rhbz#713328 + * Mon May 16 2011 Jaroslav Škarvada - 2.8-3 - Added coloring aliases to csh script as well