Bug#779392: libc6: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed
Package: libc6
Version: 2.19-15
Tags: security
Usertags: afl
The attached test program, which compiles an invalid regexp and then
tries to match a string against it, triggers an assertion:
$ make CFLAGS=-Wall pop_fail_stack
cc -Wall pop_fail_stack.c -o pop_fail_stack
$ ./pop_fail_stack
pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed.
Aborted
This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libc6 depends on:
ii libgcc1 1:5-20150226-1
Versions of packages libc6 recommends:
ii libc6-i686 2.19-15
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.55
ii glibc-doc 2.19-15
ii locales 2.19-15
--
Jakub Wilk
#include <assert.h>
#include <regex.h>
#include <stdio.h>
int main(int argc, char **argv)
{
int rc;
regex_t preg;
regmatch_t pmatch[2];
rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
assert(rc == 0);
regexec(&preg, "", 2, pmatch, 0);
regfree(&preg);
return 0;
}
Reply to: