Actions
Bug #12997
closedOut-of-bounds read in regcomp.c
Description
Valgrind reports out-of-bounds memory access while creating a Regexp object with an invalid byte sequence:
$ valgrind ruby -e'Regexp.new("\\\xD3\xD5\xBE\x1E+".force_encoding("euc-jp"))' ==21986== Memcheck, a memory error detector ==21986== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21986== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==21986== Command: ruby -eRegexp.new("\\\\\\xD3\\xD5\\xBE\\x1E+".force_encoding("euc-jp")) ==21986== ==21986== Invalid read of size 1 ==21986== at 0x1EF7D0: set_bm_skip.isra.17 (regcomp.c:4271) ==21986== by 0x1FC1FB: set_optimize_exact_info (regcomp.c:5310) ==21986== by 0x1FC1FB: set_optimize_info_from_tree (regcomp.c:5396) ==21986== by 0x1FC1FB: onig_compile (regcomp.c:5824) ==21986== by 0x1E7C0C: onig_new_with_source (re.c:850) ==21986== by 0x1E7C0C: make_regexp (re.c:874) ==21986== by 0x1E7C0C: rb_reg_initialize (re.c:2681) ==21986== by 0x1E7DEE: rb_reg_initialize_str (re.c:2715) ==21986== by 0x1E8021: rb_reg_init_str (re.c:2751) ==21986== by 0x1E8021: rb_reg_initialize_m (re.c:3293) ==21986== by 0x2981AA: vm_call0_cfunc_with_frame (vm_eval.c:131) ==21986== by 0x2981AA: vm_call0_cfunc (vm_eval.c:148) ==21986== by 0x2981AA: vm_call0_body.constprop.142 (vm_eval.c:180) ==21986== by 0x29897C: vm_call0 (vm_eval.c:61) ==21986== by 0x29897C: rb_call0 (vm_eval.c:342) ==21986== by 0x19BFA0: rb_class_new_instance (object.c:1895) ==21986== by 0x2891D6: vm_call_cfunc_with_frame (vm_insnhelper.c:1752) ==21986== by 0x2891D6: vm_call_cfunc (vm_insnhelper.c:1847) ==21986== by 0x296A8D: vm_call_method_each_type (vm_insnhelper.c:2138) ==21986== by 0x296FC2: vm_call_method (vm_insnhelper.c:2288) ==21986== by 0x28FEC8: vm_exec_core (insns.def:1066) ==21986== Address 0x73f7333 is 0 bytes after a block of size 3 alloc'd ==21986== at 0x4C2AB8D: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21986== by 0x1FC083: set_optimize_exact_info (regcomp.c:5284) ==21986== by 0x1FC083: set_optimize_info_from_tree (regcomp.c:5396) ==21986== by 0x1FC083: onig_compile (regcomp.c:5824) ==21986== by 0x1E7C0C: onig_new_with_source (re.c:850) ==21986== by 0x1E7C0C: make_regexp (re.c:874) ==21986== by 0x1E7C0C: rb_reg_initialize (re.c:2681) ==21986== by 0x1E7DEE: rb_reg_initialize_str (re.c:2715) ==21986== by 0x1E8021: rb_reg_init_str (re.c:2751) ==21986== by 0x1E8021: rb_reg_initialize_m (re.c:3293) ==21986== by 0x2981AA: vm_call0_cfunc_with_frame (vm_eval.c:131) ==21986== by 0x2981AA: vm_call0_cfunc (vm_eval.c:148) ==21986== by 0x2981AA: vm_call0_body.constprop.142 (vm_eval.c:180) ==21986== by 0x29897C: vm_call0 (vm_eval.c:61) ==21986== by 0x29897C: rb_call0 (vm_eval.c:342) ==21986== by 0x19BFA0: rb_class_new_instance (object.c:1895) ==21986== by 0x2891D6: vm_call_cfunc_with_frame (vm_insnhelper.c:1752) ==21986== by 0x2891D6: vm_call_cfunc (vm_insnhelper.c:1847) ==21986== by 0x296A8D: vm_call_method_each_type (vm_insnhelper.c:2138) ==21986== by 0x296FC2: vm_call_method (vm_insnhelper.c:2288) ==21986== by 0x28FEC8: vm_exec_core (insns.def:1066) ==21986== ==21986== ==21986== HEAP SUMMARY: ==21986== in use at exit: 2,538,700 bytes in 17,476 blocks ==21986== total heap usage: 43,758 allocs, 26,282 frees, 10,646,254 bytes allocated ==21986== ==21986== LEAK SUMMARY: ==21986== definitely lost: 349,991 bytes in 3,886 blocks ==21986== indirectly lost: 474,023 bytes in 5,121 blocks ==21986== possibly lost: 1,441,628 bytes in 7,599 blocks ==21986== still reachable: 273,058 bytes in 870 blocks ==21986== suppressed: 0 bytes in 0 blocks ==21986== Rerun with --leak-check=full to see details of leaked memory ==21986== ==21986== For counts of detected and suppressed errors, rerun with: -v ==21986== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Updated by naruse (Yui NARUSE) over 4 years ago
Could you report it to Onigmo?
https://github.com/k-takata/Onigmo
Updated by rhenium (Kazuki Yamaguchi) over 4 years ago
Sure, created https://github.com/k-takata/Onigmo/issues/81.
Updated by naruse (Yui NARUSE) over 4 years ago
- Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN to 2.2: REQUIRED, 2.3: REQUIRED, 2.4: REQUIRED
- Assignee set to naruse (Yui NARUSE)
- Status changed from Open to Assigned
Updated by naruse (Yui NARUSE) about 4 years ago
- Status changed from Assigned to Closed
Updated by naruse (Yui NARUSE) about 4 years ago
- Backport changed from 2.2: REQUIRED, 2.3: REQUIRED, 2.4: REQUIRED to 2.2: REQUIRED, 2.3: REQUIRED, 2.4: DONE
ruby_2_4 r57957 merged revision(s) 57603.
Updated by nagachika (Tomoyuki Chikanaga) about 4 years ago
- Backport changed from 2.2: REQUIRED, 2.3: REQUIRED, 2.4: DONE to 2.2: REQUIRED, 2.3: DONE, 2.4: DONE
Actions