On Wed, Sep 5, 2018 at 12:32 AM Assaf Gordon <assafgor...@gmail.com> wrote: > > (adding gnulib) > > On 04/09/18 07:02 PM, Saito Takaaki wrote: > [... discussing a sed bug ...] > > However, a friend showed me a more complex case which is > > problematic even with sed 4.4 on ideone. The last two lines of the > > output (for the identical input lines) are particularly interesting. > > https://ideone.com/Sq5xJX > > > > I hope this helps even a bit. > > Thank you for persisting with this bug. > > The linked snippet you provided exposed a heap-use-after-free bug > in gnulib's regex module (possibly in glibc as well). > > A simple way to reproduce with latest sed: > > cd sed > ./bootstrap > ./configure --with-included-regex > make > echo 'abcdefghijklmns!!!!!!!!!!' \ > | valgrind ./sed/sed -E 'h;G;s/((.).+(.))(.*\n.*\1)/\2-\3\4/i' > > Results in a use-after-free relating to the back-references (valgrind > output below). There's some interplay with the input length - if the > exclamation marks are removed, the bug is not triggered. > The bug does not trigger without the case-insensitive flag (s///i). > > This is easier to trigger with gnulib (hence --with-included-regex) > but happens also with glibc's regex module. > > This could also mean that the bug you previously reported and I surmised > was fixed is not fixed at all - could be that it was just much harder to > trigger with later sed versions. > > I'm still learning the code so don't have a fix yet.
Wow, another!?! Thanks for pursuing!