[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779392: libc6: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed

Package: libc6
Version: 2.19-15
Tags: security
Usertags: afl

The attached test program, which compiles an invalid regexp and then tries to match a string against it, triggers an assertion:

$ make CFLAGS=-Wall pop_fail_stack
cc -Wall    pop_fail_stack.c   -o pop_fail_stack

$ ./pop_fail_stack
pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed.

This bug was found using American fuzzy lop:
(available in Debian experimental)

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libc6 depends on:
ii  libgcc1  1:5-20150226-1

Versions of packages libc6 recommends:
ii  libc6-i686  2.19-15

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.55
ii  glibc-doc              2.19-15
ii  locales                2.19-15

Jakub Wilk
#include <assert.h>
#include <regex.h>
#include <stdio.h>

int main(int argc, char **argv)
    int rc;
    regex_t preg;
    regmatch_t pmatch[2];

    rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
    assert(rc == 0);
    regexec(&preg, "", 2, pmatch, 0);
    return 0;

Reply to: