[TRE-general] [Crm114-general] segv from /usr/lib/libtre.so.4 (tre-0.7.5)
Bill Y
wsy at merl.com
Sun Jan 7 05:44:54 EET 2007
From: Paolo <oopla at users.sourceforge.net>
> > Program received signal SIGSEGV, Segmentation fault.
>
> > the guilty RE is '((?.+)^$.{10}).*'
>
> Hmm, well, that does not look like a valid regexp. The '(?.+)' part
right, I hit <return> by chance too early.
> So, I would say the bug is in crm114; it seems that it does not check
> the regcomp() return value at least in this particular case.
indeed, more recent versions of crm114 bail out with invalid re error.
Yep. You're running old code, Paolo.
Though I think TRE shouldn't segv even if feeded with invalid re.
IMO segv is always a bad way to tell the caller that the call was illegal,
and a possible security hole. Possibly, I'd rather have TRE (any lib, for
that matter) make sanity checks on args it's passed on.
Interesting... though I sorta have to agree with Paolo on this
one. It might be possible to finagle the regex segfault into
a security exploit.
My guess is the result of REGCOMPing an invalid expression should be
a compiled regex form that always returns an error condition; REG_ESPACE
is one such, so it's not unreasonable to have another, in case someone
hands regexec a bad compiled regex form.
- Bill Yerazunis
More information about the TRE-general
mailing list