This has been fixed in the second way suggested. Thanks for finding this
out.
The new release is available from
http://gnuwin32.sourceforge.net/
Also, Regex-GNU has been changed into a hidden project, and shouldn't be
visible anymore.
Kees Zeelenberg
----- Original Message -----
From: "Tor Lillqvist" <[EMAIL PROTECTED]>
To: <GnuWin32-Users@lists.sourceforge.net>
Sent: Wednesday, December 13, 2006 1:50 PM
Subject: Re: [GnuWin32-Users] RegEx-GNU distribution considered harmful
> Tor Lillqvist writes:
> > (The current gnuwin32 build of RegEx-Spencer, "3.8.g.3", uses the DLL
> > name rxspencer.dll. Good.)
>
> And whoopee, it turns out that there is a dangerous flaw in the
> 3.8.g.3 version of the RegEx-Spencer library as distributed by
> gnuwin32.
>
> The obsoleted 3.8 version (which is very hard to find from the
> gnuwin32 site, I found it last week, but can't find it now...) works
> correctly, but as I said in my previous message, confusingly uses the
> same name for the DLL as gnuwin32's build of RegEx-GNU does.
>
> Try this simple test program against both versions of the
> RegEx-Spencer library. Build it in a clean mingw environment or in
> MSVC.
>
> #include <stdio.h>
> #include <sys/types.h>
> #include <regex.h>
>
> int
> main (int argc, char **argv)
> {
> const char *pattern = "[ \t]*<mailto:([^@>]+)@?([^ \n\t\r>]*)";
> const char *string = " <mailto:[EMAIL PROTECTED]>";
> regex_t re;
> int j, rc;
> regmatch_t match[3];
>
> rc = regcomp (&re, pattern, REG_EXTENDED|REG_ICASE);
>
> for (j=0;j<3;j++)
> {
> match[j].rm_so = -1;
> match[j].rm_eo = -1;
> }
>
> rc = regexec (&re, string, 3, match, 0);
>
> printf ("Should have matched, rc=%d,
> match={(%ld,%ld),(%ld,%ld),(%ld,%ld)}\n",
> rc,
> match[0].rm_so, match[0].rm_eo,
> match[1].rm_so, match[1].rm_eo,
> match[2].rm_so, match[2].rm_eo);
>
> return 0;
> }
>
> When run against the 3.8.g.3 DLL, you will see that the match array is
> filled in incorrectly after the match:
>
> Should have matched, rc=0, match={(0,0),(46,0),(9,0)}
>
> If you build it with MSVC, it will even crash after printing that...
>
> When run against the RegEx-Spencer 3.8 DLL (called regex.dll, but not
> the same as the regex.dll in RegEx-GNU), the result is correct:
>
> Should have matched, rc=0, match={(0,46),(9,24),(25,46)}
>
> It turns out that the 3.8.g.3 version of the RegEx-Spencer library
> seems to have been built in an environment where off_t is long long,
> not long like it is in the Mircosoft C library and mingw. What the
> heck?
>
> This is horrible. It means that the RegEx-Spencer library thinks the
> regmatch_t struct is 16 bytes (two long longs), while normal
> mingw-compiled code thinks it is 8 bytes (two longs). It means that
> when calling regexec(), it will overwrite the match array, scribbling
> over whatever happens to be allocated after it in memory. (This
> presumably explains the crash when the above program has been built
> with MSVC, it happens to scribble over main's return address on the
> stack, or something like that.)
>
> To see this horror in action, add some variables before and after the
> "match" array in the sample code above, and print out their values
> before and after the regexec() call.
>
> Please, fix this as soon as possible.
>
> Either 1) Recompile RegEx-Spencer in a proper mingw environment
> without any mysterious add-on secret sauce that redefines off_t. (In
> this case, remember that you *must* also use a different name for the
> fixed DLL, as it is no longer ABI compatible with the old
> rxspencer.dll. This will also make it stand out that executables that
> link to the new rxspencer-1.dll (or whatever you choose to call it)
> aren't expected to work with the old one.)
>
> Or, 2) modify the regex.h to spell out that regoff_t is explicitly
> typedeffed as long long. In this case no new DLL name or "bin" package
> is necessary, but a new version of the "lib" package with the modified
> regex.h is of course needed.
>
> --tml
>
> P.S. I guess the "secret sauce" that redefines off_t as long long is
> the "libgw32c" library? But surely using that should not be a
> requirement for users of packages like RegEx-Spencer? If the intention
> really is that it is a requirement, then some mechanism should be
> introduced that causes an error if one tries to include <regex.h> in a
> non-libgw32c-modified environment.
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> GnuWin32-Users mailing list
> GnuWin32-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/gnuwin32-users
>
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
GnuWin32-Users mailing list
GnuWin32-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gnuwin32-users
