Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segvault with null terminated input #142

Closed
jcfp opened this issue May 11, 2016 · 3 comments
Closed

segvault with null terminated input #142

jcfp opened this issue May 11, 2016 · 3 comments
Assignees

Comments

@jcfp
Copy link
Contributor

@jcfp jcfp commented May 11, 2016

hi,

a bug was reported in debian about a segvault in re2c with null terminated input:

When re2c reads a file that is containing '&' (ampersand) that is followed by null byte, re2c is crashed due to heap overread.

The following is the reproducible steps:
$ echo -ne "&\x00" > A
$ re2c A
Segmentation fault

I'm not sure if the ampersand is actually required, as it seems to segvault with other characters too as long as that null is at the end. The bug was reported against 0.13.5 but this reproduces with 0.16 too.

See the debian bug report for more details.

@skvadrik skvadrik self-assigned this May 11, 2016
@skvadrik
Copy link
Owner

@skvadrik skvadrik commented May 11, 2016

Confirmed, thank you.

Loading

skvadrik added a commit that referenced this issue May 11, 2016
Steps to reproduce:
    $ echo -ne "&\x00" > A
    $ re2c A
    Segmentation fault

Analyses: when re2c finds NULL in the input file, it checks for the
end of input; if indeed it has reached the end of input, it stops.
Otherwise, it's just some NULL byte in the middle of input; it should
be handled like any other character.

The first case (NULL as end of input) was handled correctly, but
in the second case (NULL in the middle of input) re2c crashed:
someone forgot to put an appropriate 'goto' statement, which caused
completely ad-hoc control flow in lexer.
@skvadrik
Copy link
Owner

@skvadrik skvadrik commented May 11, 2016

Here is a fix: 54711f6 :)

Just a case of forgotten goto which remained unnoticed for years.

Loading

@jcfp
Copy link
Contributor Author

@jcfp jcfp commented May 12, 2016

👍 Sure enough that does the job. Thanks!

Loading

@jcfp jcfp closed this May 12, 2016
skvadrik added a commit that referenced this issue May 13, 2016
Steps to reproduce:
    $ echo -ne "&\x00" > A
    $ re2c A
    Segmentation fault

Analyses: when re2c finds NULL in the input file, it checks for the
end of input; if indeed it has reached the end of input, it stops.
Otherwise, it's just some NULL byte in the middle of input; it should
be handled like any other character.

The first case (NULL as end of input) was handled correctly, but
in the second case (NULL in the middle of input) re2c crashed:
someone forgot to put an appropriate 'goto' statement, which caused
completely ad-hoc control flow in lexer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants