[TRE-general] [Crm114-general] segv from /usr/lib/libtre.so.4 (tre-0.7.5)
Bill Y
wsy at merl.com
Sun Jan 7 15:05:38 EET 2007
From: Ville Laurikari <ville at laurikari.net>
On Sat, Jan 06, 2007 at 10:44:54PM -0500, Bill Y wrote:
> My guess is the result of REGCOMPing an invalid expression should be
> a compiled regex form that always returns an error condition; REG_ESPACE
> is one such, so it's not unreasonable to have another, in case someone
> hands regexec a bad compiled regex form.
Hmm... If regcomp() should return something even for invalid regexps,
it should be something that does not need to be regfree'd. Because
you are _not_ supposed to regfree() if you already got an error in
regcomp(). That's actually another source of potentially exploitable
bugs.
TRE uses just one pointer in the regex_t struct. I'll change TRE to
initialize it to NULL in case of errors, and have the other entry
points to check for that. I think REG_BADPAT (invalid regexp) can be
used as the error code here.
Perfect!
Programs that behave correctly will get the right results, and
programs that misbehave will get zapped in a way that makes it
easy to debug.
I wonder if it's worthwhile to put in a checksum or magic number,
so if the calling program sends in a mangled *void (say, a pointer
to the string pattern, not the compiled version), TRElib can
tell and will return REG_BADPAT as well.
- Bill Yerazunis
More information about the TRE-general
mailing list