bug#19061: [PATCH] dfa: building superset, access to unallocated memory

Sat, 15 Nov 2014 01:14:19 -0800 

If original DFA does not have any CSETs, no memory allocated for CSET.
Even then DFA try to copy CSET from original DFA to the superset.  As
a result, it is caused to access to unallocated memory.  We have no test
case so that it is very difficult that we always reproduce this bug, as
CSET may be added only one in building superset.

From 6b99a4abd6f969ef17710b0f3ea16e4b0e4ef273 Mon Sep 17 00:00:00 2001
From: Norihiro Tanaka <[email protected]>
Date: Sat, 15 Nov 2014 17:13:10 +0900
Subject: [PATCH] dfa: building superset, access to unallocated memory

If original DFA does not have any CSETs, no memory allocated for CSET.
Even then DFA try to copy CSET from original DFA to the superset.  As
a result, it is caused to access to unallocated memory.  We have no test
case so that it is very difficult that we always reproduce this bug, as
CSET may be added only one in building superset.

* src/dfa.c (dfassbuild): Change so that when orignal DFA does not have
any CSETs, do not copy it.
* NEWS (Bug fixes): Mention it.
---
 NEWS      | 4 ++++
 src/dfa.c | 9 ++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index c465162..ffe0f44 100644
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,10 @@ GNU grep NEWS                                    -*- outline 
-*-
   of a multibyte character when using a '^'-anchored alternate in a pattern,
   leading it to print non-matching lines.  [bug present since "the beginning"]
 
+  grep no longer crashes for patterns that contain period, bracket expression,
+  back reference, etc.
+  [bug introduced in grep-2.19]
+
   grep -E rejected unmatched ')', instead of treating it like '\)'.
   [bug present since "the beginning"]
 
diff --git a/src/dfa.c b/src/dfa.c
index e0fc120..d9ef652 100644
--- a/src/dfa.c
+++ b/src/dfa.c
@@ -3659,9 +3659,12 @@ dfassbuild (struct dfa *d)
   sup->newlines = NULL;
   sup->musts = NULL;
 
-  sup->charclasses = xnmalloc (sup->calloc, sizeof *sup->charclasses);
-  memcpy (sup->charclasses, d->charclasses,
-          d->cindex * sizeof *sup->charclasses);
+  if (sup->calloc > 0)
+    {
+      sup->charclasses = xnmalloc (sup->calloc, sizeof *sup->charclasses);
+      memcpy (sup->charclasses, d->charclasses,
+              d->cindex * sizeof *sup->charclasses);
+    }
 
   sup->tokens = xnmalloc (d->tindex, 2 * sizeof *sup->tokens);
   sup->talloc = d->tindex * 2;
-- 
2.1.3

Reply via email to