Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix crash in lexer refill (reported by Agostino Sarubbo).
The crash happened in a rare case of a very long lexeme that doen't fit into the buffer, forcing buffer reallocation. The crash was caused by an incorrect calculation of the shift offset (it was smaller than necessary). As a consequence, the data from buffer start and up to the beginning of the current lexeme was not discarded (as it should have been), resulting in less free space for new data than expected.
- Loading branch information
c4603baThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I`m trying to reproduce this issue in versions old than 1.3. Is there any PoC available?
I saw that code is quite diff between 1.3 versions < 1.2.
c4603baThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the bug was introduced in commit 2f3e597, in re2c-1.2 (the previous version without the bug is re2c-1.1.1). I'm attaching the input file which crashed re2c: 119.crashes.re.txt (constructed with a fuzzer).
c4603baThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@skvadrik I did a git bisect which lead me to
Which indicates the first bad commit would be 1edd26a which would be later than 2f3e597 but the issue was just covered? Does this make sense?
c4603baThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@carnil Yes. The logical error was introduced in 2f3e597abce36fb7f41413373308b7f13fc98181in in using
shift_ptrs(buf - bot);instead ofshift_ptrs(buf - tok);here. However, it was as you said covered by the following condition, so actual error was introduced in 1edd26a. Thanks for bisecting!c4603baThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems it is still not completly fixed : https://bugs.mageia.org/show_bug.cgi?id=26549
c4603baThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@neoclust The bug you linked is related to #219 (comment), not this bug. This one was a buffer overflow (which was fixed). The repro in https://bugs.mageia.org/show_bug.cgi?id=26549#c7 limits stack size to 256 bytes --- it is very small, so one of the recursive functions causes a stack overflow.