In article <[email protected]>, Rin Okuyama <[email protected]> wrote: >On 2017/11/15 16:08, Rin Okuyama wrote: >> On 2017/11/15 15:46, Kamil Rytarowski wrote: >>> While there we might sync up with upstream tre from: >>> https://github.com/laurikari/tre >>> >>> Including feeding up local changes as noted in doc/3RDPARTY. >> >> Thank you for your comments. >> >> I will sync it with upstream before installing headers. >> Also, I will send pull-request. > >Hmm, the upstream has not been actively updated for this past >few years. Critical bugs including CVE-2016-8859 left untouched. >DragonFly and Apple, who use tre as their regex routines in libc, >also leave the CVE. On the other hand, musl libc aggressively >fixes bugs. > >https://git.musl-libc.org/cgit/musl/tree/src/regex > >How about taking fixes from musl, after syncing with the latest >official upstream? Whereas musl itself is in the MIT license, >but, of course, files from tre are kept in the BSD license. > >I'd like to merge their fixes except for nonstandard extensions >to regular expressions. How do you think about it? >
Not that it matters in this case, but tre has pathological memory consumption issues in certain cases. See /usr/src/tests/lib/libtre/Makefile. Also please make sure that the patches don't break the regression tests. christos
