Hi, When compiling the 'info' program or GNU nano with -fsanitize=address, then searching in either of the programs for the regex "@\*" (without the quotes) causes an abortion in gnulib's re_search_internal() at lib/regexec.c:764.
To reproduce, configure texinfo-6.8 with CFLAGS="-g -O0 -march=native -fsanitize=address", compile, and then run 'info/ginfo texinfo 2>TRAIL' and search for "@\*". In other words, type: /@\*<Enter>. Then type five times Shift+}. Result: info aborts. See the attached output. To reproduce with nano, first run 'makeinfo --plain doc/texinfo.texi >thetext' in the texinfo-6.8 directory, then configure nano-5.9 with the same CFLAGS, compile, and then run 'src/nano +1 thetext 2>TRAIL' and type: Ctrl+W Alt+R @\*<Enter>. Type type six times Alt+W. Result: nano aborts. See the attached output. Problem still occurs when using a current checkout of gnulib. Benno
================================================================= ==15833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000429f6 at pc 0x55571a3caf51 bp 0x7ffdbabfd5f0 sp 0x7ffdbabfd5e0 READ of size 1 at 0x6020000429f6 thread T0 #0 0x55571a3caf50 in re_search_internal /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:764 #1 0x55571a3c88d8 in rpl_regexec /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:219 #2 0x55571a37a8f3 in extend_matches /home/ben/Programoj/texinfo-6.8/info/search.c:142 #3 0x55571a37b1cf in regexp_search /home/ben/Programoj/texinfo-6.8/info/search.c:214 #4 0x55571a38dfcd in info_search_in_node_internal /home/ben/Programoj/texinfo-6.8/info/session.c:3956 #5 0x55571a38ed01 in info_search_internal /home/ben/Programoj/texinfo-6.8/info/session.c:4087 #6 0x55571a392477 in info_search_next /home/ben/Programoj/texinfo-6.8/info/session.c:4688 #7 0x55571a37e9b3 in info_read_and_dispatch /home/ben/Programoj/texinfo-6.8/info/session.c:252 #8 0x55571a37e797 in info_session /home/ben/Programoj/texinfo-6.8/info/session.c:220 #9 0x55571a365a26 in main /home/ben/Programoj/texinfo-6.8/info/info.c:1079 #10 0x7fca41f5bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #11 0x55571a3457e9 in _start (/usr/local/bin/info+0x237e9) 0x6020000429f6 is located 0 bytes to the right of 6-byte region [0x6020000429f0,0x6020000429f6) allocated by thread T0 here: #0 0x7fca42633f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x55571a3a8c0e in re_string_realloc_buffers /home/ben/Programoj/texinfo-6.8/gnulib/lib/regex_internal.c:168 #2 0x55571a3a82e9 in re_string_allocate /home/ben/Programoj/texinfo-6.8/gnulib/lib/regex_internal.c:61 #3 0x55571a3ca27b in re_search_internal /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:636 #4 0x55571a3c88d8 in rpl_regexec /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:219 #5 0x55571a37a8f3 in extend_matches /home/ben/Programoj/texinfo-6.8/info/search.c:142 #6 0x55571a37b1cf in regexp_search /home/ben/Programoj/texinfo-6.8/info/search.c:214 #7 0x55571a38dfcd in info_search_in_node_internal /home/ben/Programoj/texinfo-6.8/info/session.c:3956 #8 0x55571a38ed01 in info_search_internal /home/ben/Programoj/texinfo-6.8/info/session.c:4087 #9 0x55571a392477 in info_search_next /home/ben/Programoj/texinfo-6.8/info/session.c:4688 #10 0x55571a37e9b3 in info_read_and_dispatch /home/ben/Programoj/texinfo-6.8/info/session.c:252 #11 0x55571a37e797 in info_session /home/ben/Programoj/texinfo-6.8/info/session.c:220 #12 0x55571a365a26 in main /home/ben/Programoj/texinfo-6.8/info/info.c:1079 #13 0x7fca41f5bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:764 in re_search_internal Shadow bytes around the buggy address: 0x0c04800004e0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c04800004f0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c0480000500: fa fa fd fa fa fa fd fd fa fa fd fa fa fa 04 fa 0x0c0480000510: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480000520: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fa =>0x0c0480000530: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa[06]fa 0x0c0480000540: fa fa fd fa fa fa fd fd fa fa 00 fa fa fa 00 fa 0x0c0480000550: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa 00 fa 0x0c0480000560: fa fa 00 fa fa fa 00 00 fa fa fa fa fa fa fa fa 0x0c0480000570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15833==ABORTING
================================================================= ==10934==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200008a7b6 at pc 0x564cedadcfce bp 0x7fff99479b10 sp 0x7fff99479b00 READ of size 1 at 0x60200008a7b6 thread T0 #0 0x564cedadcfcd in re_search_internal /home/ben/Programoj/nano-5.9/lib/regexec.c:764 #1 0x564cedada955 in rpl_regexec /home/ben/Programoj/nano-5.9/lib/regexec.c:219 #2 0x564ceda9f171 in strstrwrapper /home/ben/Programoj/nano-5.9/src/utils.c:265 #3 0x564ceda80b35 in findnextstr /home/ben/Programoj/nano-5.9/src/search.c:207 #4 0x564ceda82038 in go_looking /home/ben/Programoj/nano-5.9/src/search.c:425 #5 0x564ceda81cc1 in do_research /home/ben/Programoj/nano-5.9/src/search.c:380 #6 0x564ceda81d72 in do_findnext /home/ben/Programoj/nano-5.9/src/search.c:396 #7 0x564ceda6bb0c in process_a_keystroke /home/ben/Programoj/nano-5.9/src/nano.c:1621 #8 0x564ceda7176c in main /home/ben/Programoj/nano-5.9/src/nano.c:2541 #9 0x7f56dd4d1bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #10 0x564ceda345b9 in _start (/home/ben/Programoj/nano-5.9/src/nano+0x235b9) 0x60200008a7b6 is located 0 bytes to the right of 6-byte region [0x60200008a7b0,0x60200008a7b6) allocated by thread T0 here: #0 0x7f56dddd8f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x564cedababdd in re_string_realloc_buffers /home/ben/Programoj/nano-5.9/lib/regex_internal.c:168 #2 0x564cedaba2b8 in re_string_allocate /home/ben/Programoj/nano-5.9/lib/regex_internal.c:61 #3 0x564cedadc2f8 in re_search_internal /home/ben/Programoj/nano-5.9/lib/regexec.c:636 #4 0x564cedada955 in rpl_regexec /home/ben/Programoj/nano-5.9/lib/regexec.c:219 #5 0x564ceda9f171 in strstrwrapper /home/ben/Programoj/nano-5.9/src/utils.c:265 #6 0x564ceda80b35 in findnextstr /home/ben/Programoj/nano-5.9/src/search.c:207 #7 0x564ceda82038 in go_looking /home/ben/Programoj/nano-5.9/src/search.c:425 #8 0x564ceda81cc1 in do_research /home/ben/Programoj/nano-5.9/src/search.c:380 #9 0x564ceda81d72 in do_findnext /home/ben/Programoj/nano-5.9/src/search.c:396 #10 0x564ceda6bb0c in process_a_keystroke /home/ben/Programoj/nano-5.9/src/nano.c:1621 #11 0x564ceda7176c in main /home/ben/Programoj/nano-5.9/src/nano.c:2541 #12 0x7f56dd4d1bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ben/Programoj/nano-5.9/lib/regexec.c:764 in re_search_internal Shadow bytes around the buggy address: 0x0c04800094a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800094b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800094c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800094d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800094e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x0c04800094f0: fa fa fd fa fa fa[06]fa fa fa fa fa fa fa fa fa 0x0c0480009500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480009510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480009520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480009530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480009540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==10934==ABORTING
OpenPGP_signature
Description: OpenPGP digital signature