From e22e4257cd8c4886ce81df54397278c27cc4480c Mon Sep 17 00:00:00 2001
From: plusun <tomsun.0.7@gmail.com>
Date: Fri, 27 Jul 2018 11:46:51 +0000
Subject: [PATCH] Fuzzing agrep regex(3): null pointer bug found

---
 tests/fuzz/regex/agrep/regcomp/bug/Makefile    | 18 ++++++++++++++++++
 ...sh-5af0c7b1443df5b7824086851d5ce0c62c83185f |  1 +
 ...ut-5af0c7b1443df5b7824086851d5ce0c62c83185f | 18 ++++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 tests/fuzz/regex/agrep/regcomp/bug/Makefile
 create mode 100644 tests/fuzz/regex/agrep/regcomp/bug/crash-5af0c7b1443df5b7824086851d5ce0c62c83185f
 create mode 100644 tests/fuzz/regex/agrep/regcomp/bug/output-5af0c7b1443df5b7824086851d5ce0c62c83185f

diff --git a/tests/fuzz/regex/agrep/regcomp/bug/Makefile b/tests/fuzz/regex/agrep/regcomp/bug/Makefile
new file mode 100644
index 0000000000000..1a8c62a45fc53
--- /dev/null
+++ b/tests/fuzz/regex/agrep/regcomp/bug/Makefile
@@ -0,0 +1,18 @@
+#       $NetBSD: Makefile,v 1.15 2007/05/28 12:06:25 tls Exp $
+#       @(#)Makefile    8.2 (Berkeley) 4/2/94
+
+.include <bsd.own.mk>
+
+PROG=   main
+.PATH: ../
+SRCS=	fuzz_regcomp.c
+.PATH:	../../../../
+SRCS+=   main.c
+.PATH:  ${NETBSDSRCDIR}/external/bsd/tre/dist/lib
+SRCS+=	regcomp.c regerror.c regexec.c
+SRCS+=	tre-compile.c tre-stack.c tre-mem.c tre-ast.c tre-match-backtrack.c tre-match-approx.c tre-match-parallel.c tre-parse.c
+# .PATH:  ${NETBSDSRCDIR}/external/gpl2/grep/dist/intl
+
+CPPFLAGS+=-g -I${NETBSDSRCDIR}/external/bsd/tre/dist/lib/ -I${NETBSDSRCDIR}/external/bsd/tre/include -DHAVE_CONFIG_H=1 -DTRE_SYSTEM_REGEX_H_PATH=\"${NETBSDSRCDIR}/include/regex.h\" -DTRE_USE_SYSTEM_REGEX_H=1 -DTRE_REGEX_T_FIELD=re_g
+
+.include <bsd.prog.mk>
diff --git a/tests/fuzz/regex/agrep/regcomp/bug/crash-5af0c7b1443df5b7824086851d5ce0c62c83185f b/tests/fuzz/regex/agrep/regcomp/bug/crash-5af0c7b1443df5b7824086851d5ce0c62c83185f
new file mode 100644
index 0000000000000..63e99683a0bb1
--- /dev/null
+++ b/tests/fuzz/regex/agrep/regcomp/bug/crash-5af0c7b1443df5b7824086851d5ce0c62c83185f
@@ -0,0 +1 @@
+*\{1+, \}\{2, \}
\ No newline at end of file
diff --git a/tests/fuzz/regex/agrep/regcomp/bug/output-5af0c7b1443df5b7824086851d5ce0c62c83185f b/tests/fuzz/regex/agrep/regcomp/bug/output-5af0c7b1443df5b7824086851d5ce0c62c83185f
new file mode 100644
index 0000000000000..d4c7c7b276deb
--- /dev/null
+++ b/tests/fuzz/regex/agrep/regcomp/bug/output-5af0c7b1443df5b7824086851d5ce0c62c83185f
@@ -0,0 +1,18 @@
+UndefinedBehaviorSanitizer:DEADLYSIGNAL
+==25755==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000412b2b bp 0x7f7fffffd060 sp 0x7f7fffffcf00 T1)
+==25755==The signal is caused by a READ memory access.
+==25755==Hint: address points to the zero page.
+    #0 0x412b2a in tre_match_empty /public/src/external/bsd/tre/dist/lib/tre-compile.c:1259:17
+        #1 0x46e128 in __sanitizer::HandleDeadlySignal(void*, void*, unsigned int, void (*)(__sanitizer::SignalContext const&, void const*, __sanitizer::BufferedStackTrace*), void const*) /public/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_report.cc:234:3
+
+UndefinedBehaviorSanitizer can not provide additional info.
+==25755==ABORTING
+MS: 2 ChangeASCIIInt-ManualDict- DE: "+"-; base unit: 6735f1c4f939e8b7ff4a9814913e24b54e3b6688
+0x2a,0x5c,0x7b,0x31,0x2b,0x2c,0x20,0x5c,0x7d,0x5c,0x7b,0x32,0x2c,0x20,0x5c,0x7d,
+*\\{1+, \\}\\{2, \\}
+artifact_prefix='./'; Test unit written to ./crash-5af0c7b1443df5b7824086851d5ce0c62c83185f
+Base64: Klx7MSssIFx9XHsyLCBcfQ==
+*** Error code 1
+
+Stop.
+make: stopped in /public/src/tests/fuzz/regex/agrep/regcomp