[Bug 87] New: Expr crashes on some specific patterns

bugzilla at busybox.net bugzilla at busybox.net
Tue Feb 3 13:49:10 UTC 2009


https://bugs.busybox.net/show_bug.cgi?id=87

           Summary: Expr crashes on some specific patterns
           Product: Busybox
           Version: 1.13.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Standard Compliance
        AssignedTo: unassigned at busybox.net
        ReportedBy: rousik at gmail.com
                CC: busybox-cvs at busybox.net
   Estimated Hours: 0.0


Created an attachment (id=49)
 --> (https://bugs.busybox.net/attachment.cgi?id=49)
Patch

busybox expr crashes if non-matching \(..\)* block appears on the first
position.

Example:
busybox expr match '' '\(x\)*'

In that case regexec returns regmatch_t with only first entry filled and
busybox tries (without checking) to read substring from re_regs[1]. But
re_regs[1].rm_so == -1

235         /* expr uses an anchored pattern match, so check that there was a
236          * match and that the match starts at offset 0. */
237         if (regexec(&re_buffer, sv->u.s, NMATCH, re_regs, 0) != REG_NOMATCH
238          && re_regs[0].rm_so == 0
239         ) {
240                 /* Were \(...\) used? */
241                 if (re_buffer.re_nsub > 0) {
242                         sv->u.s[re_regs[1].rm_eo] = '\0';
243                         v = str_value(sv->u.s + re_regs[1].rm_so);
244                 } else {
245                         v = int_value(re_regs[0].rm_eo);
246                 }

I suggest that adding && re_resg[1].rm_so != -1 should suffice to overcome this
problem.

Patch attached.


-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list